When you help protect the University's data, you also help protect your privacy and personal data. If malicious individuals can compromise or steal data at NEOMED, your information is among the many thousands of identities that could be compromised or stolen. As members of the University community, we all need to work to ensure everyone's data remains secure. One of the ways in which we can protect our data is by protecting our accounts. The following protection strategies can apply to both your University and personal accounts.
Keep University and personal Accounts Separate
While it may be convenient to use NEOMED email for personal communications and online services, it is essential to maintain a clear separation between your University and personal accounts. As a reminder, your NEOMED email is subject to Freedom of Information Act requests or litigation hold. If you use a NEOMED email address to receive personal emails, all messages, including those that are personal, can be subject to search, which could affect your privacy.
This separation also applies to the usernames and passwords you use for online accounts. University accounts include your NEOMED username and email, along with any associated passwords. Personal accounts are those associated your personal services, such as your bank account, non-University email services, streaming services, social media accounts, and credit card accounts. To maintain this separation, you should not use your NEOMED email as the email address of record for your personal accounts and you should not use the same password across your University accounts and personal accounts. By maintaining this separation, if a security incident were to occur where one of your accounts was compromised, it would better protect your other accounts from also being compromised.
Use a Unique Password for Every Account
This strategy can be tough, but as previously mentioned, it is essential to ensure that if one of your accounts gets compromised, it does not result in more compromises. You should apply this rule to your University and personal accounts. For example, say you use your personal email and password for online banking. If your personal email gets compromised by a phishing incident, malicious individuals will likely try your personal email credentials to see if they can access your bank account or other personal accounts. In short, if one of your accounts is compromised, the use of unique passwords for each account will help minimize your losses.
Use Strong Passwords
Strong passwords are at least 14 characters in length and may contain a mix of uppercase and lowercase letters, numbers, and symbols. One recommended method to create strong passwords is by using a passphrase. A passphrase is like a password, but it is generally longer than commonly-used passwords and contains a sequence of words or other characters to make the passphrase more memorable (for example: I-like-2-go-H!king). A longer passphrase that is combined with a variety of character types is exponentially more difficult to determine than a shorter password.
It is important to note that passphrases that are based on commonly referenced quotes, lyrics, or other sayings can be easily determined, so passphrases should be unique to you. It is also important to avoid using dictionary words and common password creation schemes, which typically contain a capital letter as the first character and an exclamation mark as the last. Finally, you should also avoid iterative passwords, which are those that are essentially the same password with a different number or character at the end.
Use a Password Manager
If we follow the “unique-passwords-for-each-account” standard, we then find ourselves in a position where we must remember a LOT of passwords. Password managers are applications that manage all your username/password combinations in a secure, encrypted location (often on your device) called a password vault. The password vault stores the needed information to sign into all the different online sites and services you use. A password manager takes a lot of the work out of using a different password for every account or service. While we within the NEOMED IT department do not recommend a particular password manager, there are many password managers that can be found online – just make sure to your research your options!
Use Multi-Factor Authentication
We’ve talked at length about multi-factor authentication (MFA) in different Pulse articles before, so let’s talk about something we have not covered before – identity. Identity is critical for authentication and ensuring you are who you say you are. From a technology perspective, there are three fundamental factors to identity:
- Knowledge: Something you know. This factor includes passwords, security questions, or private identity information such as your Social Security Number or the amount of your last bank deposit.
- Possession: Something you have. This factor includes your device's signature, a code provided via phone or email, or a physical key or token.
- Inherence: Something you are. This factor includes your fingerprint, or retina, facial, or biometrics scans.
Multi-factor authentication makes it difficult for malicious individuals to access your account because accessing the account requires multiple identity factors (the “multi-factor” component of MFA). Good security practices use a combination of at least two identity factors. With MFA enabled, it provides another layer of access protection in case a malicious individual compromises one identity factor (typically the “something you know”, such as your credentials.)
For example, many banks require the use of multi-factor authentication to access their online services. In addition to your username and password (something you know) or fingerprint (something you are), those banks who offer MFA also request a one-time code (something you have) to access your online account.
Here at NEOMED, we require MFA for University systems that may interface with sensitive University data to help keep this data more secure from compromise. You should consider employing multi-factor authentication for your accounts whenever and wherever it is offered. You can typically find this functionality, if it is offered, within your account’s ‘Settings’ or ‘Account’ menu; it may be also found within the ‘Security’ or ‘Privacy’ menus of your account’s settings.
-Submitted by Jonathan Wagner