Santa Clara University

Information Security Office

News and Events

 
RSS

Information Security News and Events

News, events, views, tips, and hints for keeping your personal information private.

The following postings have been filtered by tag password. clear filter
  •  Password Managers

    Wednesday, May. 27, 2015
    lock computer
    PASSWORD MANAGERS*
     
    What is a Password Manager Tool?
    A password manager tool is software that helps users to encrypt, store, and manage passwords.  The tool also helps users to create secure passwords and automatically log into websites.
     
    Who Might Use a Password Manager Tool and Why?
    People should use unique passwords for each website or system they login to in order to help minimize the impact from the breach of one website or system.  However, most users cannot remember a separate password for many sites and tend to reuse the same password or write them on sticky notes attached to their computer. Password manager tools allow users to more securely manage many distinct passwords and automatically log them into websites.
     
    Benefits to Using a Password Manager Tool
    Password manager tools enable users to create and securely maintain unique passwords for websites and other systems without having to memorize or write down passwords.
     
    Risks to Consider When Using a Password Manager Tool
    Special care should be taken to secure the password tool since it will grant access to all passwords.  The “master” password that grants access to the tool should be a very strong, complex, and unique password; use multifactor authentication if possible.  Additional considerations should be made about whether you want your password management tool to store the passwords locally or in the cloud.
     
    List of Technology/Tools That a User Might Consider
    Below are three popular password manager tools that an end user might consider for use.  Users should evaluate which tool works best for their own unique purposes.  The Information Security Office does not recommend the use of a particular tool. End users employ these tools at their own risk.
     
    LastPass (https://lastpass.com/) is easy to use, supports most popular browsers and mobile devices, offers multifactor authentication options for the master password, notifications for hacked sites, does not share the encryption key with LastPass, provides a password strength indicator, and performs additional password tests like ensuring that you’re not using the same password across multiple sites.  However, the ease of use requires that the password database be stored in the cloud. Additionally, as a web-based tool, your password database is available to anyone in the world with an Internet connection and your master password. For this reason, it is strongly recommended that you use multifactor authentication. 
     
    KeePass (http://keepass.info/ and http://www.keepassx.org) does not share encryption keys with KeePass, provides a password strength indicator, and the password database is not stored in the cloud.  Ease of use across multiple devices is a little more complex as the user needs to maintain access to their private password database manually.
     
    1Password (https://agilebits.com/onepassword) does not share encryption keys with 1Password, provides a password strength indicator, and the password database can be stored in Apple’s iCloud, DropBox or locally on personal devices.  Ease of use across multiple devices is easy if stored in the cloud, but more secure if stored locally.  The iOS version can be configured to support Touch ID on compatible devices.
     
    Higher Education Reference Pages
     
    Boston University 
     
    Indiana University 
     
    Pepperdine University
     
    Purdue University
     
    University of Illinois at Urbana-Champaign
     
    Adapted with permission from EDUCAUSE and the Higher Education Information Security Council
    *not written by the author
  •  HeartBleed-Critical Internet Security Issue

    Wednesday, Apr. 9, 2014

    Immediate action required whether you use a PC, Mac, or smartphone. Researchers have discovered a critical bug in the communication protocol that is used to secure transactions on an estimated 500,000 websites. When you log into a website, your username and password are sent to that website's server. Typically your credentials are encrypted using a protocol called Secure Sockets Layer, or SSL.  One of the most commonly used implementations of SSL is called OpenSSL and it is used by approximately 66% of websites.

    Heartbleed is a bug in OpenSSL that allows attackers to decode and read text from emails, instant messages, passwords, even business documents -- anything sent to a vulnerable site's server. Heartbleed is so critical that almost every major web site and vendor service is scrambling to resolve it.

    Google has released a statement that their sites are not vulnerable.  SCU’s technical staff is working with our vendors to identify and address the issue on other SCU systems.  

    SCU's Information Security Office strongly recommends that you change your SCU Network ID and eCampus passwords right away.  

    You can change your Network ID password here: https://sso.scu.edu/gam/passwords.html.  

    We also recommend changing passwords for all sites where you conduct financial or personal business.  Be sure to use long and strong passwords and change them regularly.

     More information about Heartbleed

    http://www.cnn.com/2014/04/08/tech/web/heartbleed-openssl/

     http://www.thewire.com/technology/2014/04/what-you-need-to-know-about-heartbleed-the-new-security-bug-scaring-the-internet/360366/

     

     

Information Security Office, 1-408-554-5554, iso@scu.edu