Creating a safer password
Here are some general rules for creating a safer password:
- Change your password frequently. People hate to hear this tip, but the fact is, most passwords will not be “cracked” or “guessed”, they will be stolen from an infected machine or a compromised website. Changing your password often gives a shorter period of time for an attacker to use your compromised password.
- Make passwords unique. When you change your password, consider it retired; attackers typically keep collections of old passwords that they routinely test in the hopes that someone reused them.
- Make passwords unique. Add something to your password that customizes it and makes it different for each website or service account you use so a compromised password only works on the compromised site.
- Create strong passwords. The longer a password is, the longer it takes an attacker to guess it; with current technology, an attacker can guess EVERY combination of an eight character password in 6 hours. You should use passwords that use different character types including upper/lower-case, numbers and symbols.
- Avoid obvious dictionary words. Anything related to your normal life (job, hobbies, pet names, etc.) should be excluded from your passwords. An attacker might build a dictionary that is custom tailored to contain words related to information they gathered about you.
Creating a passphrase
One way to use these rules is by using passphrases versus a password. Here is one way to create one:
- Start with a long phrase that you'll remember. This can be anything — such as a favorite song, poem or title. For example, we'll use a line from the UAB Alma Mater:
- Make some memorable changes to the passphrase. In our example below, we removed the spaces, added a symbol, and replaced the word "to" with the number "2."
- Make the password unique and memorable. Returning to our example, we'll add the first three letters of the web site where the passphrase will be used and something different like the number of letters in the name.
facebook.com = Fac8praise2theeourUAB!
- eNotify Identity: Used for sending BlazerID password reset code, and for employees to receive alerts when direct deposit, tax withholding or personal information is updated via Oracle Self Service.
- UAB IT web site: General IT announcements, information and help
- Acceptable Use of Computer and Network Resources Policy
- Oracle Self Service: Update your direct deposit, tax withholding or personal information.
Reporting suspicious messages used to be a multi-step process for UAB users, but now you can report a suspicious message with a single-click. For those users on a Windows or Mac system who use Microsoft Outlook, UAB Information Security has partnered with PhishMe Inc. and made PhishMe Reporter available to all UAB users. PhishMe Reporter is an add-on software “plug-in” to Microsoft Outlook that allows for one-click reporting of suspicious emails.
Note: This is not intended for UAB Medicine employees (i.e. anyone with a uabmc.edu email address) as UAB Medicine IT will be rolling this out separately later this month.
Printable instructions for installing PhishMe
Installing PhishMe Reporter from Software Center
Installing PhishMe Reporter from an MSI
Installing PhishMe Reporter for Mac
Quick link to download Windows MSI
Quick link to download Mac .app
In an effort allow our users to become familiar and more resilient to tactics used in real phishing attacks, UAB Information Security will be working with PhishMe Inc. to send out fake phishing emails to our students, faculty and staff that imitate real attacks. These emails are designed to give you a realistic experience in a safe and controlled environment.
Please note, that we will not be receiving nor storing any passwords, there is no penalty to falling victim to one of the simulations, and victimized users will not be singled out. However, we do ask the users who have fallen victim to the phishing email to take 30-60 seconds to review the education material that is presented after falling victim to one of the simulated attacks.
Keeper is available to UAB staff, students and faculty. It is not available to UAB Hospital staff at this time.
To create a Keeper account and start your vault:
- Register with Keeper here.
- You must use your BlazerID@uab.edu email address.
- Create a master password that is not the same as your BlazerID password. When creating your Master Password, Keeper requires a 15-character password length with one special character (e.g. !@#%), one uppercase letter, one lowercase letter and at least one number. Ideas for secure passwords are available here. Note: Your browser may prompt you to save your Keeper Master Password. NEVER allow the browser to save your Keeper password.
- To complete the registration process, you will need to enter your @uab.edu email address, and set a Master Password along with a "Security Question and Answer." Keeper offers you the ability to choose between one of their security Q&A or you can create your own. Please note: You must have the answer to the security question in order to perform a password reset.
- At this point, Keeper will send a verification email to the email address you provided. Please check your email, copy the verification code from the email, and paste it in the provided field in your browser.
Install the browser extensions available for Chrome, Firefox, Safari & Internet Explorer here. These extensions allow Keeper to automatically create entries in your vault for credentials you enter into different websites. It also allows Keeper the ability to automatically enter credentials for sites for which you have saved entries. For example: If you have saved credentials for Facebook in your Keeper Vault, Keeper will offer to enter those credentials when you visit Facebook.com.
Download the Keeper Vault for your Desktop (Mac, Windows, Linux) from here.
Download the Keeper App for your mobile devices.
UAB IT has a procedure for secure media destruction of discs, CDs, DVDs, tapes and hard drives.
Departmental IT personnel should call AskIT or submit a ticket to AskIT requesting an appointment for secure media destruction, then fill out a UAB Secure Media Destruction Custody Form with the ticket number. AskIT staff will make an appointment for you to bring the media and the form to the AskIT help desk in Cudworth Hall (CEC 225).
- The individual transferring the media to UAB IT's AskIT help desk is required to verify all media listed on the forms is present.
- All media must be listed on forms and numbered.
- Media not numbered or listed on forms will not be accepted.
- All fields on forms must be completed.
- Each form must accompany the related media.
Once in the possession of AskIT, the media is stored securely until it is picked up by UAB IT staff for transport to the destruction site. The media is delivered to the Waste Holding Facility to be destroyed using the metal shredder or incinerator as appropriate. UAB IT personnel are required to witness the destruction of media and record this on the form you submit. The form will be attached to the work order created with AskIT.
The guidance is for members of the UAB campus community who wish to use cloud applications and services available on the Web, including file storage, Web conferencing and content hosting.
While recognizing that cloud services can fill a need in certain areas, UAB IT reminds all UAB employees to use appropriate due diligence when entering into agreements, especially with cloud providers. UAB employees should not store sensitive/restricted information in a cloud service without University-approved agreements in place.
UAB employees cannot subscribe to cloud services to store sensitive or classified data (see UAB Data Protection and Security Policy for what UAB defines as sensitive data) without an appropriate agreement directly with UAB — and employees cannot be reimbursed for such cloud subscriptions without an affirming statement that the data stored is not sensitive.
Over the coming months, additional information will be released, including guidelines for specific cloud services.
More information about the cloud guidance can be found here.
UAB Hospital employees should refer to guidance from HSIS with regard to using cloud services.
Monthly Training Newsletters
UAB IT is now providing information security training materials to inform university faculty, staff and students about computer threats. Each month a newsletter will be released focusing on new and different cyber security threats. Contact the UAB IT Information Security office for more specific training options that can increase the protection of your information systems.
August 2013 - Protecting Your Passwords
September 2013 - Encryption - Protecting Sensitive Information
October 2013 - see links below for National Cyber Security Month publications
November 2013 - Data Protection
December 2013 - Permanently Erasing Data
January 2014 - Wifi Security
Link to Week 1 Article
Link to Week 2 Article
Link to Week 3 Article
Link to Week 4 Article
If you experience any issues with PGP, please report them to the help desk, AskIT, by email at AskIT@uab.edu" target="_blank">AskIT@uab.edu, or by phone at 205-996-5555. Please be sure to provide the following information:
- Error messages
- Computer make and model
- Internet connection type
- PGP installer version
- Estimated time of occurrence (if possible)
Common Solutions to Installation Issues
- Verify that you are an administrator of the system on which you are attempting to install PGP.
- Open your web browser and ensure that you have Internet connectivity by opening a website.
- Be sure that you have a current installation package for PGP Desktop. Visit www.uab.edu/it/software for the latest installation files.
- Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.
Common Solutions to Password Related Issues
- Verify that Caps Lock is not on while authenticating.
- If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
- If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device. A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.
Common Solutions to Boot/Startup Related Issues
- Ensure that a keyboard is connected to the system. Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
- Remove any CDs, DVDs or USB drives from the system. Many of these devices have features that allow them to start before the system hard drive.
- Does the system have multiple operating systems or Dell Media Direct? If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive. Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
- See the PGP Recovery documentation for further support.