Dear Students,
I am frequently amazed at how trusting students are when it comes to computer security. I find computers unlocked, and running. Frequently. It would be trivial (to pick a completely random example) to quickly install a program from a USB stick that would allow access to the computer remotely. Or to downgrade the account so that the student couldn't play games, install programs, change their own security settings, and ensure that the computer only worked between the hours of 1PM to 2PM each day. That would be horribly, horribly inconvenient, but at least the damage is confined to you. The more likely possibility is that somebody would think it was
hilarious, cyber-bulling consequences not withstanding, to email all of your friends and family some embarrassing comments, or even rummage around your hard drive looking for some embarrassing photos to attach and send off to your entire address book. Brentwood takes cyber-bullying extremely seriously -
schools that don't aren't nice places. If the hacker is evil
and clever, they'll just ensure they have access to your computer later, and access your accounts the next time you're traveling (and it would be trivial to determine where you are with access to your email, your Facebook account, etc). Then, when the time is exactly right, email your friends and family with a plea to send emergency money because you've been mugged and are stuck in a foreign country, or whatever other lie they think will convince your loved ones to give them cash. It's important to protect yourself - you wouldn't fail to lock your car, why fail to lock your computer?
So, to be clear:
LOCK YOUR COMPUTER WHEN ABSENT.
Secondly, don't tell anyone your password. If you wish your friends to have access to your computer, give them their own (limited) account, with their own password. Yes, giving out your password is a remarkable display of trust - so's giving out your house keys, car keys, and diary. Friends can become ex-friends extremely quickly - and do you really want your ex-friend in charge of your status updates and photos online?
I work in a large high school and in the past few weeks the same student walks in and mentions his work gets deleted from his area and he has to get his password changed as it no longer works.
Every week the techs restore the work and change the password to something random and complex.
On the fourth time I manage to meet this unlucky chap and ask "when we restore your files and change your password, what do you do?"
Student - "oh I change it back to the original one of my name and date of birth so I can remember it and then tell my best friend as we all use mine because they dont remember theirs
There are, of course, two mistakes in the example - telling other people the password, and making the password ridiculously easy to guess. Using normal words for passwords is also a problematic - remember that unlike T.V. people don't guess passwords individually, they set up a computer to guess thousands of times per second using dictionaries and other common passwords. Other problems include using the same password for all sites, as well as writing passwords on a piece of paper...and then sticking it on your monitor. (Or putting it in a desk drawer - oh, clever. It will take a whole extra second to find...) The difficulty with one password for all sites is the if one becomes compromised, they all do. It may not matter of someone hacks into your account for leaving comments on a blog, but if they can use that to get into your bank account, Facebook friends, or online email it's quite another.
It often seems, however, that it's a catch-22. If I don't write a password down, I need it to be something I can remember, which means someone might be able to crack it. If I do make it complicated enough (i.e. minimum 8 characters of a mixture of letters, numbers, and/or symbols), then I need to write it down somewhere so that I can refer to it often - which opens up the possibility that someone would find my note.
The neatest solution I've seen to this problem in awhile is
http://passwordcard.org/ . The website will generate a unique set of random numbers and digits that look like so:
And I know you're saying "Thanks Mr. Neufeld, just what I needed - another set of incomprehensible letters and numbers". Actually, you're probably not saying that, but it's my imagination and I'll do what I want with it.
The usefulness of the card is that the card itself allows one to meet the duel purpose of having passwords that are hard to crack by people 'out there', and have something that can be taped to your monitor, put in your wallet, etc, to refer to. As an example how it works, let's say you are going to use an 8-digit combination for your online bank password. Rather than memorizing a complex string, I remember "green happy face". Going down from the happy face symbol at the top, and the green line, my new password is "RVffH3y8" which is more than sufficient to meet security requirements, and difficult to hack.
Even better, I can print out this card, have it laminated, and put it in my wallet in case I forget the password. I can tape it to my computer, keep copies in my desk, etc. It doesn't matter if someone sees the card - there are literally thousands of combinations that are possible, running the combinations forwards, backwards,
up, down or any other easy-to-remember pattern:
I can use it and not even worry if someone is reading it over my shoulder, I lose my wallet, etc. I have the convenience of keeping my password written down when I need it, but without the added worry that it could be found and used by someone else. The website also gives the option to include a few rows of only numbers (for things like PINs) and can include symbols (just to take security up that extra notch).
As well, don't have the same security password for different purposes - the password I use for my blogs should be different from the password I use for my bank. The security of some websites varies in quality. I've even had one website directly email me my password when I successfully convinced them that I didn't remember it - if something is sent in a plain email then that password has been compromised, and was never secure to begin with. Websites with proper security and encryption would either reset your password and email you a random temporary one, or a link to reset your own password. If you can read it in your email, then you can assume anybody else between you and the servers could have read it too.
So I use the card to generate multiple passwords:
In this particular example I just remember "Green Happy face down" for RKbUzQL6, and "Red Umbrella Up" for FbtECqL9. Both are difficult to hack, but I can carry both with me at all times.
If this appeals to you, I'd recommend generating a unique version at
http://passwordcard.org/ and then copying that picture and printing off several colour copies. Laminate one for your wallet, put another in your safe or file cabinet as a back up.
Passwords are your first, second, and last line of defense for your personal identity - if you spend a little time creating a secure system, you will have much less to worry about later on.
Regards,
Ron Neufeld
Canada's Best Boarding School