Protecting your account username and passphrase is fundamental to proper security practices. This is especially true of your CalNet credentials, which provide access to a wide array of online services for students, faculty, and staff.
The theft of account information is one of the biggest threats facing the campus - here's what you need to know to protect yourself:
What are the risks?
If your account credentials are stolen, the following could happen:
- Your University pay-roll account and bank information are targeted for fraud.
- Restricted UC Berkeley data is compromised, resulting in a costly breach response and litigation.
- Thousands of emails are posted using your berkeley.edu account advertising dubious or illegal activities.
- All of your personal and work-related communication is read, including emails, chat and private messages.
These things really do happen and happen far too often.
How are credentials stolen?
Many techniques can be used to steal someone's account username and passphrase. Some common ones include:
Social Engineering and Phishing scams
Phishing scams are a significant source of compromised CalNet credentials on campus. They are a form of social engineering attacks used to trick the unsuspecting user into revealing their account information. These scams can occur by phone, email, or text.
Most commonly, a phishing scam is initiated by an email that has the appearance of official business, requesting that you perform an urgent action, such as logging into your account to confirm your password.
The email will often contain a link to a fraudulent login page, where your credentials are captured for future compromise. Or the link takes you to a web page where malicious code is silently installed on your system to capture your credentials.
For more information about how to identify and protect yourself from phishing scams, visit the Phishing Resources section.
How to Detect the Authentic CalNet Login Page contains important details for identifying fraudulent CalNet login sites.
Dictionary or Brute-Force attacks
Dictionary attacks are a technique of breaking into an account by guessing a passphrase from the dictionary or a list of commonly used passwords. Also know as a "brute-force attack", passphrases that are poorly generated are the most susceptible (e.g., passphrases containing common words, pet's name, etc.).
Using Public Kiosks or other untrusted devices
- Public kiosks or terminals (e.g. hotels, libraries, airports, coffee shops)
- Borrowing a friend or colleague's computer or mobile device
A technique whereby the attacker observes someone while they type their passphrase. Shoulder Surfing is especially a risk in libraries, computer labs and other public areas.
Other techniques include:
- Hackers that have successfully stolen credentials from one website will attempt to use them on other sites, exploiting the fact that many victims reuse passphrases across multiple systems.
- Hackers will often install software or hardware devices known as "keyloggers" to capture the input from the keyboard.
- Attackers can intercept credentials by monitoring unencrypted network traffic (also known as "sniffing"). This happens most often on open wireless networks and when credentials are sent in cleartext through email or unsecured web connections (e.g., URL links beginning with http:// instead of https://).
What can I do to protect my account information?
Now that you know how your passphrase can be stolen, here are some tips for good password security:
Use a long passphrase
The UCB minimum standard for passphrase length is eight (8) characters containing a mix of different character types -- letters (upper and lower case), numbers, punctuation marks, etc. However, a passphrase of 20 characters or more is recommended - they provide a significantly higher level of protection, and require less complexity of character types.
A strong passphrase can be a quote, poem or lyric that is easy for you to remember - but too long to be cracked by common brute-force techniques or to observe by shoulder surfing.
Do not reuse passphrases
It is extremely important not to reuse passphrases across multiple accounts. If one account is compromised, then all accounts sharing that set of credentials are at risk!
Especially for accounts requiring the highest level of security, such as your CalNet account, email, and financial websites -- use a distinct passphrase for each account.
Use a password management application
A password management program can help you to maintain strong, unique passphrases for all of your accounts. These programs can generate strong passphrases for you, enter credentials automatically, and remind you to update your passphrase periodically.
Several online password management services offer free versions, and KeePass is a free application for Mac and Windows.
Check that the site is secure
When logging into websites, email, or other services, check that the site is secure and your credentials are encrypted. A secure URL for a website starts with "https://" and your browser will display a lock icon in the address bar.
Also, be sure that the site is authentic - beware when the browser displays a red slash through the lock icon or gives certificate warnings.
Be aware that your passphrase could be intercepted if the website does not offer a secure login.
Avoid Phishing scams - think before you click
If you think you may have fallen for a phishing scam, change your password immediately! Then contact us for instructions regarding the next steps.
Passphrase "Dos and Don'ts"
- Don't give your passphrase to ANYONE. A legitimate system administrator can reset your passphrase if necessary and should NEVER request it by email or over the phone.
- Don't use a passphrase containing information about you, such as birthday, favorite movie, etc. that someone who knows you could guess.
- Don't type your passphrase while using someone else's computer. It is relatively easy to steal someone's passphrase by installing a keylogger on your computer and then letting someone use the computer.
- Look out for "shoulder surfers" when typing your passphrase, much as you would do when typing your PIN number at an ATM.
- Use anti-virus software on your computer, available for free for students, faculty, and staff, to protect your computer from software keyloggers.