One Step Ahead: Keys to the Kingdom |
|
May 5, 2015, Volume 61, No. 33 |
Another tip in a series provided by the
Offices of Information Systems & Computing and Audit, Compliance & Privacy
Each year, the Verizon Data Breach Investigation Report is published in an effort to encapsulate the most important information security lessons learned from the latest 12 months of attacks and compromises. And each year, the theft and misuse of credentials is the single most important factor across all categories. As they stated in 2015, “there’s no getting around the fact that credentials are literally the keys to the digital kingdom.”
So what should you do?
Two-Factor
First, be aware that you can now protect your PennKey with Two-Step Verification (two-factor). This service protects your PennKey by requiring both a password and a code generated on your phone: www.upenn.edu/computing/weblogin/two-step/ It is easy to set up, has little impact on your day-to-day experience, is a powerful antidote to stolen passwords and is available now to anyone with a PennKey.
Note: Multi-factor authentication is also available on many popular commercial services (such as Facebook, Google, Twitter, etc.).
Don’t Use the Same Password Everywhere
When you use the same password on multiple sites and never change that password, a compromise of one account can quickly lead to compromise of all your accounts. Having unique passwords for every account is hard. The challenge is made easier if you think in terms of password “categories” and establish strong, unique passwords for each and change them periodically. Common categories include:
• Work—PennKey. Make sure you have one strong password for your PennKey password that you use nowhere else.
• Work—Not PennKey. Some systems at Penn ask for passwords that are not based on PennKey.
• Personal—Important. For your life outside of Penn, consider creating one or two long and complex passwords for the most sensitive systems (online banking, finance).
• Personal—E-Commerce. Select another password or two for accounts associated with online purchases (like Amazon).
• Email. Whenever possible, make sure that your password for any email system is unique from every other.
For more information about Penn’s Two Step Verification pilot or assistance with passwords, contact your Local Support Provider or security@isc.upenn.edu
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/ |