Password Security Critical Inside and Outside Of Duke

Since the beginning of 2011, the Office of Information Technology Service Desk has helped 35 Duke faculty, staff and students re-secure their NetID-and-password combinations.  Their compromised accounts put them in good company, as organizations in increasing number reveal that they have lost control of customer data. Last month, for instance, Sony notified 77 million PlayStation Network and Qriocity online users that attackers were able to grab user names, passwords, security questions, addresses, birth dates and other account information, including possibly credit card information. Also in April, Epsilon Data Management LLC revealed that hackers had accessed names and email addresses it used in marketing campaigns for over 40 companies, including J.P. Morgan Chase. The Sony and Epsilon breaches are lessons about the fragility of password security. Often times, individuals use the same password for many accounts ranging from our Duke NetID, to a bank account, to online gaming account.  The danger in using the same password, is that once an attacker has learned what it is, he or she has unfettered access to multiple accounts.  And, if they are smart, they won't change the password, but rather use the password to continue to access a computer or bank account.  The Duke University Information Technology Security Office (ITSO) offers these suggestions to the Duke community on password security:

• Use a strong password for your online accounts - at least eight characters, a mix of upper-case and lower-case letters, numbers and special characters.
• Use multiple passwords for a variety of accounts. Don't use your Duke NetID password for your bank account or other online accounts.
• If you have trouble remembering multiple passwords, use a password escrow tool like LastPass or 1Pass.
• Set your challenge/response questions, so the OIT Service Desk personnel can confirm your identity when you need to have your password reset.
• Duke University will never ask you for your password via email, so don't respond to email requests-or any requests, for that matter - for your password. Good IT technicians will not ask you for your password when they are at your desk helping you with a computer problem; they'll either use an administrator ID on the machine or suggest that you stay close to enter your password when necessary.
• Reputable companies, especially banks, will never ask you for your password via email, either. If you get an email from a company with which you do business telling you to reset your password, ignore links in that email and go instead to the company's website as you always do. There, you will be able to see if they are asking for password resets or if they have had a security breach.

 Duke community members with additional questions are asked to write to the ITSO, or contact the OIT Service Desk.