Technical and Security Issues

For urgent assistance with a technical or security issue, please call the IT Service Desk at 877-466-6728 or report the issue via the Minnesota State Service Desk.

To submit an IT request, report an issue, or view the status of submitted requests, visit the Minnesota State Service Desk.

Product/Service Risk Assessment Request

To submit an security risk assessment request, go to Security Risk Assessment Request.

Additional Information and Resources:

We are becoming increasingly reliant on technology and storing personal information online. This trend increases the opportunity for hackers to acquire sensitive information such as credentials, personal data and financial records.

Malicious viruses acquired through internet and other uses can give hackers the ability to access your computer or infiltrate online accounts and the information they find can potentially be leaked to others.

The good news is that even as hackers update their strategies, there are several sensible strategies you can use to stay safe online.

Use Caution Clicking Links and Attachments

Emails, attachments, and website links are the three things you should use the most caution while interacting with on the Internet. Many cyberattacks begin through sending out emails infected with malicious content.

Phishing is one-way hackers infect your computer. This strategy is executed by sending emails posing as a reputable company in attempts that the user believes it is an authentic email and updates their personal information on a malicious website. You can often determine if a website is a legitimate a few ways:

  • Check for a different or misleading URL. If you are not sure about the source of the message, you should always hover over the hyperlinked website address to verify that it is a valid link for the site.
  • Check the e-mail address of the sender. It may only be a letter off a valid email from the company they are trying to mimic, so make sure you look carefully.
  • Check for spelling and grammar mistakes. Most company communications will thoroughly review their messages for mistakes, while many phishers have a poor use of English grammar. So, language errors may be a signal that the email is not coming from a reputable company.
  • Check the IP address of the sender if you are suspicious. If you check the source code, the IP address can be found following the lines “Received: from.” You can then google the IP address and view information about the computer it was sent from.

Clicking unknown links is also a dangerous game. Untrustworthy sites can begin downloading files, rerouting you through other malicious websites, and scam you for information the moment you open the link. If you are skeptical whether you should open a link you believe has potential to be infectious but are going to commit to it, it is best to right-click and copy the link, then paste it in a separate browser so you can take a look at the URL. The most secure sites include a “HTTPS” to begin the URL. Especially look out for this if you are inputting sensitive information such as a credit card or social security number.

The easiest way hackers send viruses to your system is through attachments. They are especially dangerous in the workplace, school, or anywhere that many people are connected to the same network. Do not open attachments unless you are certain you know what they contain as well as who the sender is. Word documents, PDFs, and EXE’s are amongst the most dangerous files that you should be worried. If one recipient opens an attachment, there is a chance that it could spread to every computer connected to the network.

Two-Factor Authentication

Over the last few years, websites have developed more ways to strengthen security and provide their users with more opportunities to protect against cyber-attacks. One emerging strategy is called two-factor authentication. This entails a confirmation from a cell phone or some other kind of verification in addition to a password to be able to access an account.

You should check websites you frequent to see if they have a two-factor authentication process available. Sometimes, there are settings that only require this procedure if you are logging in from a different device, which is especially important. If a company gets breached by a cyberattack, the hackers most likely won’t be able to access your account if two-factor authentication is enabled unless they had some kind of personal device or personal information already.

Security questions are another preventative measure used to be able to recover your account if it was lost or stolen. However, if these answers are not unique or can be found with a little research, then they can actually work against you and give unwanted guests access to your accounts. You should avoid common questions typically offered such as “What’s your mother’s maiden name” or “What was your first pets name” because these questions can likely be found online through records or social media. Some don’t even answer the question being asked to ensure anyone that but themselves can access the account. For example, instead of putting “Turner” for your father’s middle name, you could put something random such as “Finding Nemo.”

Browser Safety

  • Don’t stay signed in to your email or other online accounts. Also, lock your PC when you walk away.
  • Never let your browser (e.g. Chrome, Firefox) save your password. You could also change the setting of saving password in browser. Instead, use a secure password manager like LastPass.
  • On a regular basis clean your browser history, passwords, cache, and cookies.

Use a VPN

A Virtual Private Network (VPN) is an effective way to ensure that your identity is not revealed online and is a good defense to your sensitive information falling into the wrong hands. VPNs are especially useful when utilizing public networks, such as a coffee shop or library. These kinds of connections offer minimal security to its Wi-Fi guests and should be taken with the most caution while browsing. Whether you are on a public or private network, taking the precaution of using a VPN is wise. A VPN adds security by connection a public network to a private network to mask your IP address and have more peace of mind accessing private data. There are many services online that offer VPN’s to their users, and many can be found that are inexpensive or even free of charge.

The following are tips to creating good passwords, provides background on why strong passwords are important, provides an overview of Minnesota State Colleges and Universities' operating instructions on passwords, and answers some common questions about the instructions itself.

Table of Contents

Introduction

Passwords allow you to authenticate, or prove your identity, when you access information, services, and resources in the computing environment. Every person in the system has access to at least some sensitive, nonpublic information, such as his or her own contact information and grades. Staff and faculty also have a business need to access other people's nonpublic information. If we didn't require passwords, literally anyone could act as you or assume your identity.

Think of all the information you store on your computer and your college or university computing account. If someone else had your password, they would also have access to your electronic life including email, education records, class projects and your class registration and transcripts. A malicious individual with your password would be able to use your accounts to commit fraud, change a grade, steal, store illegal content, send spam, make threats, break into other systems and much more. If anything malicious or criminal is done with your account, evidence will place the burden on you to prove you are not the culprit.

Due to increased reliance on passwords for protecting sensitive data, Operating instruction 5.23.1.1, Password Usage & Handling was passed in April 2008. This guideline was developed by a collaborative group of IT and security staff from around the system. It was reviewed by the CIO at each institution and approved by the System CIO. This group based this guideline on current best-practices, including information from the National Institute of Standards and Technology, Microsoft (see Strengthening Domain Policy Settings, especially table 13) and OWASP.

This FAQ includes additional information about the operating instructions. Each question includes the relevant text of each requirement set forth in that guideline. If you have additional questions or concerns that are not addressed here, please speak with your CIO so that they may pass your question on to the Information Security Office so we may address them here.

How do I choose a strong password?

Passwords must be at least eight characters in length and contain three of the four following character types:

  • Uppercase alphabetic characters (e.g. A-Z)
  • Lowercase alphabetic characters (e.g. a-z)
  • Digits (i.e. 0123456789)
  • Special characters (i.e. ~!@#$%^&*()_+-=<>?{}|[]\;':",./)

You can visit the free Password checker by clicking on the link and typing a few example passwords. This checker should indicate "How Strong" for any password that satisfies operating instruction 5.23.1.1.

Passwords should not:

  • Be restricted to a maximum length that limits the ability to use passphrases, (i.e. 8-40 characters is better than 8-10 characters).
  • Be a single word that can be found in any dictionary, even if you add a number to the beginning or the end, (e.g. Password1).
  • Be a word that only uses simple character substitution, (e.g. C00k13 instead of Cookie).
  • Be based on any publicly available information such as user ID, family member's name, birthday, etc.
  • Be based on a keyboard pattern (e.g. asdf1234) or duplicate characters (e.g. aa11BB)

Passwords should use one or more of the following techniques:

    • Combine multiple password-creation techniques. For example, character substitution plus additional characters: C_0ok^i3.
    • Be composed of multiple words. For example, My=furr3y*d0g-F1do.
    • Be based on information known only to you. For example, a quote from your favorite poem or book: 0!C4pta1n,myC@ptAin
    • Be based on something that makes you laugh. For example, MyM0therf0rg0t_myB1rthday!
    • Be composed of punctuation and initial characters of each word of a phrase known to you. For example, "We hold these truths to be self-evident, that all men are created equal," becomes "Whtt2Bs-e,tamace,". This technique is effective with your favorite book, your own writings, etc.
    • Be composed of part of, or a whole sentence. For example, "We.the,Pe0ple.0f,the.United,5tates". This technique is also effective with your favorite book, your own writings, etc.
  • Be composed of a complete, proper sentence. For example, "My dog Fido is black." (Note that not all systems support a space character in the password.)

While some of these recommendations may seem extreme, the longer examples of passphrases are quite often easier to recall and easier to type than a random eight-character password. Adding length beyond the minimum also exponentially increases the strength of your selected password. Additionally, using a password safe not only prevents you from losing passwords, but they enable you to use arbitrarily long and complex passwords if you so choose, so long as you still set and remember a good passphrase to protect your "keychain" of passwords.

Why can't I share my password?

Subpart A. Password protection. Users must protect their passwords from unauthorized use and refrain from sharing passwords with others.

This requirement from the guideline is a reiteration from the requirements set forth in the Acceptable Use system procedure. As users within the Minnesota State Colleges and Universities, we are given access to different systems like email or Desire2Learn, but we are responsible for protecting that access to prevent abuse. If an individual shares their password with another person, they have just given that person access to data and information for which they are not authorized. Additionally, the individual that shared their password is still liable for any actions taken with their account.

What is a "strong password"? Why can't I just use my dog's name for a password?

Subpart B. Strong Passwords. Users must use a password or passphrase that is a minimum of eight characters and must include a minimum combination of two character types and should include a combination of 3 character types such as: numbers, special characters, and lower and upper case letters.

A password is a combination of letters, numbers and "special characters" that is known only to the account-holder and the system or application used by the account-holder. A strong password is one that holds a high degree of entropy. That is, there is a high degree of randomness in the value of that password. Put more simply, a strong password is one that is impossibly hard to guess. A password of "truck" holds very little entropy, whereas "CAg1DI5`b1P:UeIv;H" holds a very high degree of entropy.

We don't allow a simple word like "truck" or "fido" as a password because this would literally take seconds for a hacker to guess using widely available tools. However, we don't require a completely random password, either. Random passwords are extremely difficult to recall, which makes them a usability nightmare. For a password to be usable, then, we need both randomness and memorability. Thus, the user selects their password, but we must require a minimum length and minimum complexity. This results in a longer password with many, many more potential values, which will thwart a guessing attack. [1]

To balance the requirement for security with the requirement for usability, the guideline development group settled on what is probably the most common set of requirements: a minimum length of eight characters combined with a complexity requirement of three of the four types of characters available. These requirements are also commonly enforceable in the systems and applications around the colleges and universities.

Why do I have to change my password? I just memorized my old one!

Subpart C. Required Changes. Passwords or passphrases must be changed at least every 180 days and should be changed at least every 90 days.

Requiring password changes every six months will further reduce the risk that someone who attempts to get your password will be successful, and will prevent others who may have your password from using your account for nefarious purposes. (Or any other unauthorized purpose, for that matter!) Periodic password changes will also stop any unknown and unauthorized use of your account. Essentially, if an attacker was trying to guess your password, our minimum password requirements mean the attacker will require more than six months to successfully guess your password. By that time, your password will have changed.

We've kept that requirement to every six months, because we do realize the difficulty incurred by frequent password changes. This requirement also reduces the risk that a user's account is abused if they've previously shared their password. For example, if a professor shared their password with a student in tech support, and that student later attempted to change a grade in that professor's course, the chances that this professor's password is still valid is greatly reduced.

Why is my account locked out after I mistype my password a few times?

Subpart D. Lockout for Failed Attempts. College or university and Office of the Chancellor system administrators should establish a standard for locking a user's account if the user fails to login to the system within a specified number of attempts. The lockout may be for a designated amount of time or until the account is administratively reset.

This requirement is directed at IT departments rather than the individual. By locking out an account for a short period, (usually 30-60 minutes) a hacker trying to actively guess a password will not only be considerably slowed, but this increases the chance that IT staff can identify that individual while they're trying to attack the system. Unfortunately, this requirement is sometimes technically infeasible depending on the application or system in question. If this requirement were 100% implementable, the risk of brute-force password guessing attacks would be greatly reduced.

Why can't I memorize my password and just change a number at the end?

Subpart E. Password Administration. College or university and Office of the Chancellor system administrators should enable password history, limiting the ability to re-use passwords.

By regularly changing your password, and ensuring that each new one is not similar to previous passwords, you greatly reduce the risk that your password could be guessed or cracked. Password reuse is also prohibited to prevent users from changing their password, then changing it back to their old one.

Some users do like establishing a pattern, but avoiding a pattern does increase your security. If your passwords followed a pattern and an attacker learned your password at one point in time, they could determine your password any time. For example, if an attacker learned your password was Winter09, they would have some confidence that your next password would be Spring10. (This pattern is extremely common and should be avoided.)

What else can I do to remember all these passwords?

Use a password "safe"

A password safe is a virtual safe that you can use to securely store your usernames, passwords, and other information associated with your various online accounts. There are numerous free and commercial products available, but the most popular ones are probably Password Safe and KeePass. Both have Windows versions. KeePass also has versions for UNIX, and Linux, as well as agents for iPhones, PocketPC, BlackBerry, Palm, and Android phones & PDAs. Password Safe also has a "U3" version, which lets you store your password safe encrypted on a thumb drive for portability, and there are ports that also support Mac users. Both Password Safe and KeePass are open source projects. Another option for Mac users is 1Password, which is a popular commercial package that also has an iPhone agent.

Write it down

We briefly considered, but ultimately did not include "do not write this down" because some people may need to do so for a short period in order to learn a new password every six months. If you must write your password down, it should not be kept with your laptop, under your keyboard, taped to your monitor, etc. You wouldn't put your PIN on a note on your monitor, just as you wouldn't tape a $20 dollar bill to your monitor. You also wouldn't write your PIN on your ATM card or keep your PIN in your wallet. If you lost your wallet, you lose your ATM card and your PIN, which would enable the finder or thief to withdraw funds from your accounts. Your wallet is a good place to store a written password, however. Just don't write your username with it, or even label it as a password.

Do PCI systems that process credit card purchases have different requirements?

A "PCI" system is one that stores or transmits credit card data. These systems have additional requirements. If you weren't aware of any of this, you can probably disregard this section.

Passwords for any system or network device covered by PCI-DSS must meet these following requirements:

  1. Minimum Length: 8 characters
  2. Change Frequency: Every 90 days
  3. Complexity: At least 3 of 4 types of characters
  4. Lockout: After 6 attempts, minimum 30 minute lockout
  5. No shared accounts
  6. No password reuse
  7. Inactivity time-out: 15 minutes

Footnotes

  1. We calculate the relative strength of a password by examining its keyspace, or the total number of possible combinations. A PIN requires "4 numerals", and has a keyspace of 10,000 (or 104), meaning there are 10,000 possible combinations for a PIN. Without the requirement of an ATM card to strengthen this authentication, (and the ATM machine that will keep your card after several incorrect guesses,) this PIN could realistically be cracked in a matter of minutes.

    The keyspace for the new requirements is 948, or about 6.096 x 1015, which makes cracking within 6 months infeasible. If an attacker were able to achieve a sustained rate of two million attempts per second, it would take almost a century to exhaust the keyspace.

    The calculation: (948 possible passwords / 2*106 attempts per second) / 60 seconds / 60 minutes / 24 hours / 365 days ~= 96.7 years. If this attacker had 100 computers, it would still take almost a year.

    While there are ways to speed this up, the reality is that many places where authentication takes place would allow far fewer attempts per second, perhaps not even 1/10th that number.

Faculty and Staff: For additional security topics, log into IT SharePoint/Connect using your StarID and password.