UNH CIS Signals

IT Security: Be Careful Out There

Petr Brym

April 1, 2008

Be Careful Out ThereYou have heard it all before. Choose a strong password, don’t write it down where others can see it, change your password periodically, make sure no one is watching when you type your password, don’t respond to E-mails that request your password, and don’t give your password to anyone, ever. It’s a bit like someone saying to you “be careful out there” as you head out on a trip in your car.

When someone tells you to be careful, they do so because they care about you. However, there is another reason to be careful. You have a responsibility to others as well. If you are not careful, you can hurt yourself as well as others who are in your car and others on the road. The same is true for passwords.

If you do not take basic precautions to protect your password, you significantly increase your chances that someone will misuse it. When that happens, your E-mail, privacy, bank account, and countless other resources you access with passwords could be at risk. If that is not enough, think about this: your password is a key to tools and information that, by design, nobody else should be able to access. When they do, all the assumptions about protecting those resources are violated.

So are UNH’s Acceptable Use Policy (http://usnholpm.unh.edu/USY/VI.Prop/F.htm) and USNH’s IT Security Policy (http://usnholpm.unh.edu/UNH/VI.Prop/F.htm.) These policies require us all to use our computer accounts in a secure manner. This includes using strong passwords and protecting them from others.

A hacker who has guessed or obtained your password not only has a complete view into the computing environment that the password was meant to protect, but the hacker is also a step closer to capturing or changing your passwords for other computing environments you use. The hacker can also launch attacks against other computing systems, making it look like you are responsible, and that the attack is coming from your computer. Imagine logging into your computer account and then offering your keyboard to a hacker and walking away. From a hacker’s point of view, getting your password is the same thing.

A hacker who guessed or obtained your password can place software on your computer, such as key logging software to capture other passwords and information that you type. The hacker could use your password to access information that you are obliged to protect, thereby violating Federal laws and triggering State breach reporting requirements (see http://www.gcglaw.com/resources/tech/databreach.html.)

So the next time you hear someone say “be careful out there”, they may be saying “protect others by protecting your password”.