Santa Clara University

Information Security Office

News and Events


Information Security News and Events

News, events, views, tips, and hints for keeping your personal information private.

The following postings have been filtered by tag password. clear filter
  •  Two Layers of Added Security

    Wednesday, Jul. 15, 2015

    To protect your account, passwords are a must. They provide you with added security to keep prying eyes away from your information and data. However, passwords can only do so much to keep your account safe. Passwords are stolen all the time. Doing things such as using the same password for more than one site, clicking on links in emails, or using a weak password can increase your chances of getting your password stolen. 

    (For more information about passwords, please visit:

    When someone steals your password, they can lock you out of your account and use it for malicious deeds. If you use the same password for multiple sites, the perpetrator may gain access to all of them. 

    This is where two-factor authentication (2FA) comes in. Most people have one layer (their password) to protect their account. 2FA adds a second level of authentication to an account log-in. If a bad guy hacks through your password level, 2FA makes it harder for him to get into your account. 

    2FA requires users to have 2 out of 3 types of credentials before they can access an account. The types are: 

    • something you know (PIN, password, pattern, etc.)
    • something you physically have (ATM card, security token, phone, text message, etc.)
    • something you are or do (fingerprint, voice, facial recognition, signature, etc.)

    Here is an example of a 2FA login:

    When you log on to your account, you enter your password and your phone gets a text message with a "code" that will give you access to your account. You will need both the password and code for the login process. 

    So what’s all the fuzz about two-factor authentication anyways? Why should I use 2FA? 

    Well, one of the biggest reasons to use 2FA is the added security it gives you. 2FA makes it harder for attackers to hack into your account; instead of trying to bypass one layer of security, the attacker has to bypass two layers. However, this doesn’t mean that 2FA is a sure way to stop people from getting into your accounts. It just improves security with little effort on your part. 

    So does this mean that I can use easier passwords if I use 2FA?

    You have some leeway for using a slightly easier password now that you have an extra layer of security, but I would still highly recommend that you use strong passwords to keep your accounts more secure. 

    Okay, so what are some downsides to 2FA?

    One downside to 2FA is that most people use it on their cellphones. I admit that this is the most convenient method, but if you’re using your phone to enter both a password and the second layer of security, it becomes less secure. There’s always a risk that your phone could be stolen or that malicious apps might attempt to steal your stored passwords. Nowadays, a typical cellphone contains everything but the physical keys to your door.

    The other downside is that 2FA can be a hassle. It takes a moment to setup, but when you want to login in, 2FA requires that you have access to the thing that you are using for 2FA. This is also why more and more people are using their smartphones as the token. 

    Some sites that allows for two-factor authentication:

    • Facebook
    • Gmail
    • Twitter
    • LinkedIn

    Now that you know a little more about two-factor authentication, the ball is in your court. Some people chose to use 2FA, while others opt not to. What will you do?


  •  Password Managers

    Wednesday, May. 27, 2015
    lock computer
    What is a Password Manager Tool?
    A password manager tool is software that helps users to encrypt, store, and manage passwords.  The tool also helps users to create secure passwords and automatically log into websites.
    Who Might Use a Password Manager Tool and Why?
    People should use unique passwords for each website or system they login to in order to help minimize the impact from the breach of one website or system.  However, most users cannot remember a separate password for many sites and tend to reuse the same password or write them on sticky notes attached to their computer. Password manager tools allow users to more securely manage many distinct passwords and automatically log them into websites.
    Benefits to Using a Password Manager Tool
    Password manager tools enable users to create and securely maintain unique passwords for websites and other systems without having to memorize or write down passwords.
    Risks to Consider When Using a Password Manager Tool
    Special care should be taken to secure the password tool since it will grant access to all passwords.  The “master” password that grants access to the tool should be a very strong, complex, and unique password; use multifactor authentication if possible.  Additional considerations should be made about whether you want your password management tool to store the passwords locally or in the cloud.
    List of Technology/Tools That a User Might Consider
    Below are three popular password manager tools that an end user might consider for use.  Users should evaluate which tool works best for their own unique purposes.  The Information Security Office does not recommend the use of a particular tool. End users employ these tools at their own risk.
    LastPass ( is easy to use, supports most popular browsers and mobile devices, offers multifactor authentication options for the master password, notifications for hacked sites, does not share the encryption key with LastPass, provides a password strength indicator, and performs additional password tests like ensuring that you’re not using the same password across multiple sites.  However, the ease of use requires that the password database be stored in the cloud. Additionally, as a web-based tool, your password database is available to anyone in the world with an Internet connection and your master password. For this reason, it is strongly recommended that you use multifactor authentication. 
    KeePass ( and does not share encryption keys with KeePass, provides a password strength indicator, and the password database is not stored in the cloud.  Ease of use across multiple devices is a little more complex as the user needs to maintain access to their private password database manually.
    1Password ( does not share encryption keys with 1Password, provides a password strength indicator, and the password database can be stored in Apple’s iCloud, DropBox or locally on personal devices.  Ease of use across multiple devices is easy if stored in the cloud, but more secure if stored locally.  The iOS version can be configured to support Touch ID on compatible devices.
    Higher Education Reference Pages
    Boston University 
    Indiana University 
    Pepperdine University
    Purdue University
    University of Illinois at Urbana-Champaign
    Adapted with permission from EDUCAUSE and the Higher Education Information Security Council
    *not written by the author
  •  HeartBleed-Critical Internet Security Issue

    Wednesday, Apr. 9, 2014

    Immediate action required whether you use a PC, Mac, or smartphone. Researchers have discovered a critical bug in the communication protocol that is used to secure transactions on an estimated 500,000 websites. When you log into a website, your username and password are sent to that website's server. Typically your credentials are encrypted using a protocol called Secure Sockets Layer, or SSL.  One of the most commonly used implementations of SSL is called OpenSSL and it is used by approximately 66% of websites.

    Heartbleed is a bug in OpenSSL that allows attackers to decode and read text from emails, instant messages, passwords, even business documents -- anything sent to a vulnerable site's server. Heartbleed is so critical that almost every major web site and vendor service is scrambling to resolve it.

    Google has released a statement that their sites are not vulnerable.  SCU’s technical staff is working with our vendors to identify and address the issue on other SCU systems.  

    SCU's Information Security Office strongly recommends that you change your SCU Network ID and eCampus passwords right away.  

    You can change your Network ID password here:  

    We also recommend changing passwords for all sites where you conduct financial or personal business.  Be sure to use long and strong passwords and change them regularly.

     More information about Heartbleed



Information Security Office, 1-408-554-5554,