News from IT that isn't just for geeks

Protect Your UM Passwords!

Posted on: April 30th, 2013 by

The University email system has been inundated lately with phishing emails. These take various forms and purport to come from both people and groups you know. This illuminates one key point the IT security awareness presentation emphasizes, that the “From” part of an email message is easily forged by criminals to lead you into believing a message comes from a legitimate source. As always, a best practice is to not click links in email messages. While we all realize your common work correspondence includes links, these phishing messages are unsolicited emails that were not part of an ongoing email conversation. Another key feature these messages rely on is they imply they are from IT professionals asking you to “verify” your login information. IT will NEVER send you an email asking you to verify your login credentials.

Some of the sites these emails direct you to will attempt to install malware on your computer. If your system and antivirus patches are not up to date, key logging or screen capturing software can be installed on your computer. Software to destroy all the data on your computer could be installed, or as a worst case a root kit can be put in place to completely take over the computer system without your knowledge or consent.

Inadvertently revealing your login password via these phishing attempts is magnified significantly with the use of VPN.  Your VPN credentials are the same as your email credentials. Once authenticated via VPN, a remote host becomes a “trusted” host.  If a criminal logs into VPN as “you,” the remote computer they are using then becomes a “trusted” host  and security measures put in place are circumvented.

Some best practices to keep in mind concerning your user  account:

  • NEVER click links in unsolicited emails!
  • Use good passwords and change them every 90 days. Good passwords are a minimum of 8 characters with upper/lower case letters, special characters and numbers.
    • Even better passwords can be based on a phrase and approximately 15 characters if your system will permit.
  • Always be suspicious of a site that asks for your account or personal information. Familiarize yourself with the address bar at the top of your browser. Beware entering your account information if the site does not end in “”

Additional trust is given with VPN access. Please take care of your account!