For our first meeting of the fall semester, we had 22 attendees in the 9th floor conference room sharing ideas about ways to create and manage passwords.
We started the discussion by referring to this recent Wall Street Journal article in which the person responsible for writing a set of long-standing best practices for password creation decided his guidelines needed a complete overhaul:
McMillan, Robert. “The Man Who Wrote those Password Rules has a New Tip: N3v$r M1^d! Bill Burr’s 2003 Report Recommended using Numbers, Obscure Characters and Capital Letters and Updating Regularly–He Regrets the Error.”Wall Street Journal (Online), Aug 07, 2017, ABI/INFORM Global, http://remote.baruch.cuny.edu/login?url=https://search.proquest.com/docview/1926721443?accountid=8500.
During our discussion, a number of different options for password creation and management came up:
- Password management software (most will store your username/password credentials and help you create very strong passwords)
- Saving passwords in a local spreadsheet or text file (that may also be encrypted)
- Using Diceware to create strong passphrases
Some institutions have set up LastPass at the enterprise level, enabling all employees to have their own accounts and to share passwords with trusted colleagues. It was noted that LastPass has struggled in the past year with a security problem that is worrisome for its users.
We talked generally about what makes a strong password and how a long passphrase can actually be as secure if not more so than shorter password with a bunch of random characters, something this xchd cartoon by Randall Munroe illustrates well:
One amusing thing that came up in our discussion was a list of the most common passwords people use (“123456” is at the top of the list year after year).
We also talked about the way passwords get hacked by means of dictionary attacks (a brute force method in which a computer throws billions of words from dictionaries in every language at a login) and social engineering attacks in which users are tricked into giving away their login credentials.
It was noted that while two-factor authentication can offer an additional layer of security, it is not without weaknesses, too:
- Can be hard to implement at the enterprise level, as it requires every person to do something additional to log in beyond simply typing in a user name and password
- If the second layer of authentication involves sending a text message to the user’s phone with a unique PIN that has to be typed in after the password, the phone then becomes the weak point, as it is increasingly common for hackers to steal people’s cell phone numbers away from them and thus be able to hijack this additional security layer
- You can use a security key for two-factor authentication like this one from Yubico but not all systems will accept it
For two-factor authentication, authentication apps (like Authy) were suggested as being more secure than getting text messages with login codes.
We looked at the list of topics already suggested for upcoming meetings:
- Sharing screens among students and instructor in a classroom
- Data management and preservation
- Faculty and staff options for file storage and sharing
- Integrating LibGuides into Blackboard
- Open educational resources (OERs)
- Online and Hybrid Tools (Screencast-O-Matic, VoiceThread)
- What is blockchain?
- Intro to encryption and what are options for encryption (personal and work)
- Technology fatigue
- Internet of things
- Digital archiving
Our next meeting will be a Friday in October (look for an announcement soon).