Protecting Your Credentials

Protecting your account username and passphrase is fundamental to good security practices.  This is especially true of your CalNet credentials, which provide access to a wide array of online services for students, faculty and staff. 

The theft of account information is one of the biggest threats facing the campus - here's what you need to know to protect yourself:

What are the risks?

If your account credentials are stolen, the following could happen:

  • Your University pay-roll account and bank information are targeted for fraud.
  • Restricted UC Berkeley data is compromised, resulting in a costly breach response and litigation.
  • Thousands of emails are posted using your berkeley.edu account advertising dubious or illegal activities.
  • All of your personal and work-related communication is read, including emails, chat and private messages.

These things really do happen, and happen far too often.

How are credentials stolen?

There are many techniques that can be used to steal someone's acount username and passphrase. Some common ones include:

Social Engineering and Phishing scams

Phishing scams are a major source of compromised CalNet credentials on campus.  They are a form of social engineering attacks used to trick the unsuspecting user into revealing their account information.  These scams can be perpetrated by phone, email, or text. 

Most commonly, a phishing scam is initiated by an email that has the appearance of official business, requesting that you perform an urgent action, such as logging into your account to confirm your password. 

The email will often contain a link to a fraudulent login page, where your credentials are captured for future compromise.  Or the link takes you to a web page where malicious code is silently installed on your system to capture your credentials.

For more information about how to identify and protect yourself from phishing scams, visit the Phishing Resources section.

How to Detect the Authentic CalNet Login Page contains important details for identifying fraudulent CalNet login sites.

Dictionary or Brute-Force attacks

Dictionary attacks are a technique of breaking into an account by guessing a passphrase from the dictionary, or a list of commonly used passwords.  Also know as a "brute-force attack", passphrases that are poorly generated are the most susceptible (e.g., passphrases containing common words, pet's name, etc.).

Using Public Kiosks or other untrusted devices

Your credentials are at especially high risk when you enter them on untrusted devices such as:
  • Public kiosks or terminals (e.g. hotels, libraries, airports, coffee shops)
  • Borrowing a friend or colleague's computer or mobile device
These untrusted devices may have already been compromised by malware installed to capture your credentials.  And if you forget to properly logout and close the web browser, someone can hijack your account afterwards.

Shoulder Surfing

A technique whereby the attacker simply observes someone while they type their passphrase.   Shoulder Surfing is especially a risk in libraries, computer labs and other public areas.

Other techniques include...

  • Hackers that have successfully stolen credentials from one website will attempt to use them on other sites, exploiting the fact that many victims reuse passphrases across multiple systems.
  • Hackers will often install software or hardware devices known as "keyloggers" to capture the input from the keyboard.
  • Attackers can intercept credentials by monitoring unencrypted network traffic (also known as "sniffing"). This happens most often on open wireless networks and when credentials are sent in cleartext through email or unsecured web connections (e.g., URL links beginning with http:// instead of https://).

What can I do to protect my account information? 

Now that you know how your passphrase can be stolen, here are some tips for good password security:

Use a long passphrase

The UCB minimum standard for passphrase length is nine (9) characters containing a mix of different character types -- letters (upper and lower case), numbers, punctuation marks, etc.  However, a passphrase of 20 characters or more is recommended - they provide a significantly higher level of protection, and require less complexity of character types. 

A good strong passphrase can be generated from a quote, poem or lyric that is easy for you to remember - but too long to be cracked by common brute-force techniques or to observe by shoulder surfing.

Do not reuse passphrases

It is extremely important to not reuse passphrases across multiple accounts. If one account is compromised, then all accounts sharing that set of credentials are at risk!

Especially for accounts requiring the highest level of security, such as your CalNet account, email, and financial websites -- use a distinct passphrase for each account.

Use a password management application

A password management program can help you to maintain strong unique passphrases for all of your accounts.  These programs can generate strong passphrases for you, enter credentials automatically, and remind you to update your passphrase periodically.  

There are several online password management services that offer free versions, and KeePass is a free application for Mac and Windows.

Check that the site is secure

When logging into websites, email, or other services, check that the site is secure and your credentials are encrypted. A secure URL for a website starts with "https://" and your browser will display a lock icon in the address bar.

Also be sure that the site is authentic - beware when the browser displays a red slash through the lock icon or gives certificate warnings. 

If the website does not offer a secure login, be aware that the passphrase you use could be intercepted.

Avoid Phishing scams - think before you click

If you receive an email containing an attachment or link that is not expected, even if it's from a trusted source, use these tips to verify whether the email is a phishing scam.  When in doubt, ask.

If you think you may have fallen for a phishing scam, change your password immediately!  Then contact us for instructions regarding next steps.

Passphrase "Dos and Don'ts"

  • Don't give your passphrase to ANYONE. A legitimate system administrator can reset your passphrase if necessary and should NEVER request it by email or over the phone.
  • Don't use a passphrase containing information about you, such as birthday, favorite movie, etc. that someone who knows you could guess.
  • Don't type your passphrase while using someone else's computer. This may sound a bit paranoid but it is relatively easy to steal someone's passphrase by installing a keylogger on your computer and then letting a friend use the computer.
  • Look out for "shoulder surfers" when typing your passphrase, much as you would do when typing your PIN number at an ATM.
  • Use anti-virus software on your computer, available for free for students, faculty and staff, to protect your computer from software keyloggers.