Compromised Password FAQ

What action do I need to take if I received a notification that my password is compromised?

Please note, you should never click a link within an email to update your password, but rather directly navigate to a trusted site by entering the URL directly into your internet browser if you have reason to believe your password has been compromised.

To be proactive and avoid automated reset, you should visit UConn’s NetID website to change your password.   NetID.uconn.edu is the University’s official website for updating your password and managing your digital identity.

Is my account compromised?

A password from a known compromised password list doesn’t necessarily mean that your account has been compromised, however it increases the likelihood that an account compromise could take place. If you have any reason to believe that someone other than yourself has at any time gained access to your account, please contact techsupport@uconn.edu/ 860-4864357.

How does ITS know my password is on a compromised list?

NetID passwords are stored securely which means that your password is generally not known to ITS. However, ITS has obtained a list of known compromised passwords from a reliable source. We use a method to match encrypted compromised passwords with our UConn encrypted passwords. Matches are considered compromised.

Why does this matter?

Cybercriminals obtain compromised password lists too and use brute force attacks, and other tactics, to gain access to accounts and systems.

What are password creation tips?

The easiest way to formulate a strong password is to create a passphrase (just a few words strung together) that meets UConn’s minimum length and complexity requirements (12 characters long and containing 3 of 4 categories: an upper case, lower case, number, and symbol).   Additional tips on developing passphrase are available at https://security.uconn.edu/set-a-passphrase/.

As a reminder, never use significant dates (e.g. birthdays, anniversaries), or names of people (or pets!) that you know.

If I use the same password on my personal accounts, I should change that as well?

Yes, cybercriminals know that people tend to reuse passwords, so they exploit this and try attacking whatever systems they can. You should update accounts where you have reused passwords?

Updating my passwords across accounts seems like a lot of work. Is there anything to make it easier?

IT Security highly recommends you store your passwords with a secure password manager, such as LastPass. Learn more about LastPass, including how to get free LastPass accounts, by visiting UConn’s knowledge base.

How do I know whether my new password is already on the public list as well?

You will not know for certain, but because our Password Standards improved in December of 2019 (longer and more complex requirements), your new password is less likely to be cracked if you were not meeting the new standard. ITS is working on creating a more automated process that checks public password lists against our directory.

I already use multifactor authentication, why should I bother improving my password?

Passwords are your first line of defense in protecting accounts and information. Multifactor authentication is your second line of defense. Because cybercriminals have also found ways to get past multifactor authentication, you want both defense strategies to be strong. You can learn more about multifactor attacks at https://security.uconn.edu/2023/03/13/duo-sound-the-alarm/.

Tax Season Phishing Scams

Tax season is upon us, making it an opportune time for scammers to attempt to defraud you. Cybercriminals frequently disguise themselves as Payroll offices/officials by sending emails that contain calls for action, such as requests for you to verify tax information, update direct deposit accounts, print and cash checks, and/or visit a website that is not owned by UConn or the State.
Continue reading

Duo: Sound the Alarm

Users play a crucial role in defending against cybercriminals. When your password is stolen, a hacker will try to use it to gain unauthorized, criminal access to University protected systems and information. Duo serves as a second line of defense, but only with your help. Hackers will attempt to trick you into authenticating a login on their behalf.  We’re sharing common attacks to be aware of, how to detect them, and what to do if you are subject to an attack.
Continue reading

How to Catch a Thief with Duo

“Credential thieves” find ways to steal usernames and passwords all the time. Whether a thief tricks you into providing your login information, or they hack a system, once a bad actor has what they need, your information and entire systems are at risk.

Duo, the multi-factor authentication application used at UConn, can stop a thief in their tracks, but only with your help. Duo serves as your second line of defense against unauthorized access (good passwords are your first)! After you enter your password, you then authenticate with Duo, verifying your identity for a second time. If you EVER receive a prompt from Duo that you DID NOT initiate, you must deny that prompt because this is an indicator that your credentials are compromised. When you deny Duo, you are catching the credential thief in the act, and blocking them from taking further action. It is common for these thieves to enter your credentials multiple times in hopes that you become “fatigued” from the notifications and just approve a Duo push out of frustration and annoyance.

A legitimate Duo push tells you what services you are attempting to log into, such as UConn 2FA Single Sign On, and the approximate location of the access request. If you did not initiate a login, and you randomly receive push to your phone, or come across a page requesting a Duo token/code, follow these steps to protect your account:

  • Deny the Duo prompt.
  • If asked by Duo if the activity is suspicious, press yes.
  • Visit https://netid.uconn.edu/ to change your password.

You must change your password if you experience suspicious activity, such as an unauthorized Duo notification, because it means your credentials are compromised. Passwords are the first line of defense, but they only offer protection if they are hard to crack and known by only you. Follow these password practices to hinder credential theft from the start. And remember to NEVER approve a Duo push or enter Duo codes when you did not initiate a login.

Employment Scams

Have you received an unsolicited job offer? Cybercriminals target students promising jobs and compensation.  Often sent via email, students are routinely offered fake employment opportunities that are designed to steal your money, or lead to other harmful consequences.

Common signs of employment scams:

  • An e-mail that states “Message sent from a system outside of UConn” despite the email appearing to be sent from an @uconn.edu email account.
  • An offer for a job opportunity you did not apply for.
  • A request for you to deposit a check on behalf of the “employer.”
  • A request for you to share your information.
  • A requirement that you contact the “employer” to continue the “hiring” process over text or phone.

Tips to avoid being scammed:

  • Be skeptical of scammers posing as UConn officials; even when the email appears to come from a @uconn.edu emails address, you must be cautious as cybercriminals can imitate UConn email accounts.
  • Review the company’s online presence. Does the company have a website? Do they have contact information easily available?
  • Do not send money to a company that wants to hire you. A legitimate company will never ask you to pay them.

Concerns?

If you receive an e-mail that you suspect is an employment scam, do not engage with the sender. If you have ever engaged with the malicious actor and believe you have been defrauded, please report the matter to the police.

Remember, if an offer is too good to be true… it probably is.

 

 

 

University IT Security Policies

The ITS Information Security Office has updated and added IT security policies that reflect current best practices. Below is a summary of the revised and new policies. You can view all IT security policies by going to security.uconn.edu and clicking “Policies, Standards & Guidelines.”

Revised Policies

Acceptable Use: Faculty, staff, and students should only use university IT equipment, systems, and services for university-related work and not for commercial or illegal activities. Individuals have a responsibility to protect their identity, data, and IT resources.

The sharing of accounts and/or passwords is disallowed. Systems should be properly maintained and patched to ensure security.

 

Data Classification Policy: Know the classification and requirements for handling various data types. Where appropriate, store your data on university managed databases and file storage systems. Protected and confidential data require additional levels of protection.

 

Data Roles and Responsibilities Policy: The roles and responsibilities of data stewards, data administrators, and data users are defined to ensure data is properly protected, used, and managed throughout its lifecycle.

 

Risk Management: Department and system owners are responsible for conducting a regular and ongoing risk assessment of the technology platforms they oversee.

 

Security Awareness Training Policy: Security awareness training is available to the UConn community, and the Information Security Office may mandate training for those who have access to confidential or protected information.

 

Use of Social Security Numbers: As systems are updated and replaced, Social Security Numbers should be used only as required.

 

New Policies

System and Application Security: Individuals responsible for operating or overseeing any University system or application are responsible for proper maintenance and oversight of systems and applications used by university constituents.

 

Mobile and Remote Device Security: Mobile or remote devices used to access any non-public IT resources owned or managed by the University must meet security requirements designed to reduce risk to University data and information systems.

 

Firewall Policy: Firewalls must be configured to maximize their protection and detection capabilities.