It’s time to put October into overdrive! We’ve already experienced Mountain Day. I hope it was fun and safe for everyone. We have Fall Break coming, but today, we start the celebration of Cybersecurity Awareness Month. What does that entail? Almost four full weeks (not counting November 1st) of opportunities to raise the level of cybersecurity awareness of the community, including a Virtual Scavenger Hunt and the opening of our fall 2024 cybersecurity awareness training.
The theme for Cybersecurity Awareness Month 2024, sponsored by the National Cybersecurity Alliance, is “Secure Our World”. The topics for this year are using strong passwords and a password manager, turning on multifactor authentication, updating your software, and recognizing and reporting phishing; one for each week. These topics will be discussed each week in an article right here on this site. We’ll also discuss a local topic each week, including the safe and ethical use of generative artificial intelligence (AI), what phishing emails are “popular” in our email inboxes, why you should make careful use of your Berry email address, and we’ll learn about passkeys, a “new” authentication system that is becoming more and more popular on the Internet.
Let’s move on to our first topic – the use of strong passwords and password managers. We’ll start this topic with three questions:
- How many online accounts do you have?
- How many passwords do you have?
- Are those two numbers the same?
If the answer to the last question is “no”, then you are most likely not using strong enough passwords, nor are you using a password manager to create and secure them. Password managers like LastPass, Bitwarden, Dashlane, or even your iCloud Keychain, if you exclusively access the online world with Apple products, will help you generate long, complex, and unique passwords for every online account you have. They will also securely store them and allow you to use them to log in to all of your accounts. You only have to remember one strong, hard to guess password, and many systems will also allow you to access your password manager using bio-metrics like a fingerprint or facial recognition (IMPORTANT: You still have to remember that password in case the bio-metrics don’t work).
What is a strong password? The characteristics of a strong password are:
- It is long, 15-25 characters at least
- It is non-sequential – it doesn’t use 123456 or ABCDEF or even QWERTY from the keyboard
- Uses at least three of the following types of characters: lowercase letters, uppercase letters, numbers, symbols, and spaces (if allowed)
- It doesn’t include your username, your real name, pet’s names, family names, favorite team name, or any other information about you or your “likes” that you would post on social media or other public places.
A final aspect of good passwords is that they are unique. Never reuse a password for multiple accounts and never use a password that has been exposed via a data breach (How do you know? Check out this Quick Info page on the Cybersecurity News & Alerts site). Particularly, do not reuse passwords for financial accounts or other sensitive accounts. One account = one password. Three hundred accounts = three hundred passwords.
Are you tired of having to deal with usernames and passwords? There is a relatively new technology that can ease some of the difficulty in securely authenticating. The technology is called passkeys. Passkeys eliminate the need to continually type in or copy and paste usernames and passwords. Passkeys also cannot be exposed via a data breach.
They work by creating a pair of “keys” or numbers for each account. One key is the “public” key and one is the “private” key. The website stores the public key and you store the private key, usually in a password manager like the ones mentioned earlier or using another app (like iCloud Keychain) that supports passkeys. Passkeys can be synchronized between your devices (if using a password manager) or you can use unique passkeys on each device you use for any given site.
While most major sites support passkeys, including Amazon, Apple/iCloud, Google, and Microsoft, not all sites do, particularly smaller sites or non-commercial sites. 1Password maintains a user-generated list of sites that support passkeys. More sites will add support as the technology gains popularity and the implementation process is streamlined. Understand that at most every site you will initially have to use a username and password or some other method to create an account, but once you have done that, the site may offer to walk you through the process of setting up a passkey for future use or it may be an option in your account settings.
What a easier to use (and safer) place the Internet might be without all those pesky usernames and passwords to deal with!
Our required semi-annual cybersecurity awareness training starts soon. Look for an email later this week inviting you to start the training. It will include a password-less link to enter the training portal. Training must be completed before Friday, December 6th. Please don’t put it off to the last minute. The end of the semester gets busy for everyone.
If you are interested in participating in the Virtual Scavenger Hunt for Cybersecurity Awareness Month, you can click the button in the top left floating window, or click on the button below.
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report spam via the “Report message” button, just like you would a phishing email.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month (going on right now!)
Food For Thought
Our food for thought this month stays true to the theme of the article. Here are two videos on passkeys, one from Microsoft offering a broad introduction and one from Leo Notenboom that answers a couple of the burning questions you may have about using and securing your accounts with passkeys.
January News from Information Security
NCSAM Week 5 – IoT, MFA, and PhysSec
