Your U credentials are invaluable. Here’s how to protect them

As the University of Utah’s Information Security Office (ISO) recently reported, there’s been a sharp increase in phishing schemes and other cybersecurity attacks targeting student accounts. This has resulted in a growing number of compromised uNID accounts.

Students, faculty, and staff can take a number of steps to protect themselves against cyberattacks, such as enabling multifactor authentication for your university and other online accounts and reporting phishing attempts. First, though, U community members should ensure they follow the U’s password policies and IT security best practices.

“An attacker could do a lot of terrible things with your uNID and password, especially if you don't have two-factor authentication (2FA) enabled,” said Dustin Udy, security assessment team lead for ISO’s Enterprise Security team.

Policy 4-004: University of Utah Information Security Policy outlines the university’s password policies, specifically in Rules 4-004A: Acceptable Use and 4-004D: Access Management.

According to the guidelines, users should keep their uNIDs/usernames and passwords confidential, use unique logins and complex passwords, store them only in an approved manner, and change their passwords if they believe they’ve been compromised. Depending on your role, you may also be required to use Duo 2FA with your university accounts. Although you are required to follow these policies only for your U credentials, Udy also recommends implementing them for your personal accounts.

“Just think about what your credentials are tied to,” he said.

At the university, that includes UMail, Box, Campus Information Services (CIS), Canvas, and Ultimate Kronos Group (UKG) — resources that contain your personal, professional, or educational information. Outside the U, you likely have personal information stored in accounts with banks, email services, health care providers, retailers, social media platforms, and more.

A set of credentials is extremely valuable to a bad actor. Not only could an attacker do a lot to harm you, but that person could also use your credentials to try to harm people you know.

“Let's pretend that I compromised your university account, say through a phishing attack. Now that I have your uNID and password, I can log into CIS and send you a Duo 2FA push. If you're distracted, you may accidentally approve it,” Udy said. “Once I’m in, I can steal pieces of your information that could lead to identity theft — your name, date of birth, last four digits of your Social Security number.”

If you don’t accept the Duo2FA push because you didn’t request it, Udy said the notification indicates that your account has been compromised and you should call your respective help desk. While enabling 2FA makes an attacker’s job more difficult, users still need to stay vigilant and be alert.

Once an attacker has your credentials, they also can use them to access the university’s network, Udy said. The attacker could then gather information about the people or internal infrastructure of the university, or try to log in to other devices to gain access to more user and university data.

Udy knows it’s possible because he’s done it during IT security assessments for other Utah System of Higher Education (USHE) institutions.

Here’s how you can follow U policy and IT best practices to keep your U credentials secure.

Keep it confidential

Do not share your password or university credentials — ever. Not with your parents or guardians, your teaching assistants, your colleagues, or anyone else, even if you trust them.

When you share your credentials with others, so many variables come into play. How is your cyber hygiene? How is theirs? Even if the person you share your password with is trustworthy, Udy said, they could still fall for a phishing scheme or other cyberattack.

“If that user gets compromised, all of their credentials are stolen, and so are yours,” he said.

And if the person isn’t as trustworthy as you believe, Udy said that person could share your credentials with others or use them to delete your data, alter your account information, or do other malicious things.

“You're setting yourself up for failure. You're trusting someone with your entire identity, professionally, personally, everything. It’s a huge risk, or at least a vulnerability,” he said.

Udy also said students, faculty, and staff shouldn’t reuse their U credentials to create external or personal accounts, or share them with outside organizations.

“Let’s say a third-party company gets compromised. If you used your U email address and password for that account, the attacker could have access to your U credentials,” he said. “With your UMail address, that person could easily figure out your uNID, which would allow them to log in to CIS. And if you use your U credentials elsewhere, the attacker could gain access to those accounts, too.”

Power up your password

While policy states that you should use unique logins and complex passwords, Udy recommends a minimum of 12 characters — “the longer the better” — because shorter passwords take less time to crack.

“Your password doesn't always have to be mix of numbers, upper- and lowercase letters, symbols — something unforgettable. A passphrase can work as long as it's unique and long,” he said. “We all love Swoop, but you shouldn’t use him as your password. Find something kind of unusual or with special meaning to you so that you don't forget it.”

And don’t reuse your passwords or use variations of your passwords, he said. Make a unique password for each account or a new password every time you need to update an existing one.

“If someone gains access to enough of your passwords, they can start to infer a schema. For instance, an attacker can determine if you use the same root phrase or characters with slight changes between password updates or for specific websites, like Qwerty1 and Qwerty2, or AmazonQwerty and NetflixQwerty,” he said. “That’s why your passwords need to be random and long.”

Udy also urges everyone to use multi- or two-factor authentication wherever possible, not just for your U accounts. Students, who aren’t required to use Duo 2FA for the university accounts, are strongly encouraged to begin proactively using the service.

“It's an extra layer of security that can help alert you to a potential compromise,” he said, adding that everyone should consider the type of information that their credentials protect and choose the appropriate security measures to match. If an account contains identifiable or other sensitive information about you, Udy recommends using all available security options.

Additionally, Udy noted that if you are ever concerned about a password, you can change it. In fact, it’s a good idea to occasionally update your passwords anyway.

“I recommend updating all your passwords at least once a year,” he said. “If the account doesn’t have 2FA, I’d change it more often.”

 Store passwords safely

Passwords should be stored only in an approved manner — not written down on a piece of paper and hidden under your keyboard or somewhere on your desk, not scribbled on a whiteboard or chalkboard, not entered in an Excel spreadsheet (encrypted or not), not stored in a file in Box. None of those is a secure method, Udy said.

He also recommends that people not store passwords in web browsers. From forensics investigations, he’s learned that it’s not too complicated to access them.

“Use a reputable password manager, again with a long password or passphrase,” he said.

Udy said you can search Google for a password manager. Several products, he noted, meet most people’s needs, from desktop to mobile use.

Change (potentially) compromised passwords

Whether you’re 10 percent or 100 percent certain your password has been compromised, change it! As Udy said earlier, you can change your passwords at any time for any reason, and it’s always better to be overly cautious than do nothing and leave yourself exposed.

If you believe your university account has been compromised, don’t forget to contact the Campus Help Desk (801-581-4000, option 1) or University of Utah Health Service Desk (801-587-6000) after changing your password to report the attack. For example, you may have opened a questionable link or answered a suspicious email and divulged your login credentials, answers to your security questions, or other sensitive information.

Your account might also be compromised, Udy said, if you receive Duo 2FA prompts you did not request, notice problems with your email like missing messages or strange items in your inbox and/or outbox, or don’t receive a paycheck.

If you don't have 2FA, however, it can be difficult to tell whether your account has been compromised until the attacker does something bad because you won’t receive alerts about activity on your account, he said.

Ultimately, Udy said people need to pay attention. Even with multifactor authentication, your accounts are not invulnerable.

“2FA is one extra layer of security — it doesn’t make your accounts impenetrable, but it does make it more challenging for attackers to work around,” he said.

And good password hygiene, you can make it even more difficult for a bad actor to compromise your University of Utah accounts.