Many of you may have seen a new password change notification when logging into your Carleton account. All students, faculty and staff will need to change their Carleton account passwords by Feb 7th.
The main reason behind the change, says Kendall George, Carleton and St. Olaf’s Information and Security Officer, is the problem of ransomware.
“We have updated our password policy to meet the demands of an evolving security threat, the recommendations of our auditors, and the requirements of our insurer.”
What is the problem?
In recent years, insurance companies have lost increasing amounts of money due to ransomware costs. Ransomware causes only 8% of insurance claims but makes up 81% of insurance costs.
What is ransomware?
In 2017, Carleton embraced new national security guidelines that called for password strengthening and the use of multi-factor authentication. More recently, Carleton has been affected by the increased cost of cybersecurity insurance (due to the large payouts for ransomware). One way to help keep these costs under control is to strengthen the passwords we use.
How to strengthen your passwords
- Make it long. This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
- Use a mix of characters. The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it.
- Avoid common substitutions. Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (*leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
- Don’t use memorable keyboard paths. Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.
From Avast, How to Create a Strong Password
Carleton’s approach
Carleton’s insurers are requesting that Carleton increases the maximum password character length in order to help reduce these costs.
Kendall states “…mathematically, a 15-character password is stronger than an 8-character password that is more complex (special characters, numbers, etc).”
He adds that, “This and other changes to our security program are designed to reduce risk and consequently reduce our cyber liability insurance premiums, saving the college money.”
The new guidelines
Carleton’s new requirements include increasing the length requirement of passwords from 12 to 15 characters. Per National Institute of Standards and Technology (NIST) Password Guidelines, which Carleton has used to inform its security policies, longer passwords are harder for hackers to crack, making them more secure.
Strengthening passwords
As a result, by February 7, 2022, students, faculty and staff will need to change their Carleton account passwords to a length of at least 15 characters.
While the process of changing your password may take you about 30 minutes, it is important to know that a longer password will help protect your data and the college’s cybersecurity as a whole.
Helpful resources:
Kendall recommends his blog post “10 Best Practices for Security for Students”
Another recommendation is the AARP site for cybersecurity information. They have some “really great information for cybersecurity,” says Kendall.
He adds that we should be aware of scams as well as suspicious phone calls, text messages and emails that might include phishing attempts. “If it seems too good to be true, it probably is.”
The password change requirements will go into effect Feb 7, 2022.
For additional questions, contact the ITS Helpdesk at 507 222 5999.