A new, campus wide initiative launched this month through the University of Chicago’s IT Services office aims to maximize identity protection for those who use a CNetID and password to access University email and other online services or applications.
“There are people out there who want to get at the University of Chicago’s information,” said William Cai, assistant director for identity management with IT Services. “Our job is always to be one step ahead of malicious intent and those who want to steal credentials and phish for peoples’ accounts.”
Named “Own Your Identity,” the program includes a postcard campaign that will run from now through the fall. The postcards will inform University account users about the measures they can immediately take to tighten the security of their accounts. These new actions will help protect them from breaches that could provide access to individual email accounts, theft of financial information and intellectual property, or lead to identity theft.
Users are encouraged to opt for what’s called “2Factor Authentication,” or “2FA,” a system that requires verification from a cell phone or other external device before one’s account can be accessed. “We want to give people user-friendly tools with good security value,” said Cai.
2FA promises quick set up—two minutes or less. Those with a CNetID can sign up at http://2FA.uchicago.edu and are encouraged to choose multiple options for verification such as a desktop phone, a cell phone or a tablet. One option lets users flag unauthorized tampering with an account, resulting in an IT Services investigation.
In addition to 2FA, IT Services is phasing in other security measures such as stronger password requirements. Soon CNetID holders will be required to change their passwords from an eight-character to a 12-character minimum. Another pending option is the use of “passphrases,” a string of words or a short sentence that is both more intuitive to the user and more difficult for a hacker’s computer to decipher.
“If you come up with a short password that is really complex and hard to remember, it’s actually not so difficult for a computer to figure it out,” said Astrid Fingerhut, project and service coordinator with IT Services, noting that hackers often employ computers to run thousands upon thousands of password options. “With a long passphrase,” she added, “it may be very easy for you to remember but much tougher for a computer to crack.”
Additionally, Fingerhut would like to see everyone opt for yet another layer of security called Silver, which provides extra account monitoring. For example, if someone tries to guess a password repeatedly, Silver temporarily locks the account. The system also sends out annual reminders to users to change their passwords, a highly recommended preventive practice.
“Silver is just another way to authenticate yourself, and make sure it’s you gaining control of your account and not someone else,” Fingerhut said. Those wishing to become Silver Certified can see a checklist of the requirements and how many of them they already have enabled at whoami.uchicago.edu.
Taking these voluntary steps not only secures one’s account but strengthens the integrity of the University system as a whole, said Tom Barton, senior director for IT architecture, integration and security and chief information security officer.
Barton said phishing schemes are becoming more sophisticated and that suspicious emails—particularly any communication that asks for an account password—should be immediately forwarded to firstname.lastname@example.org. “Security really is about managing risk,” Barton said. “You never eliminate it, you just try to do a better job fighting it.”