The Johns Hopkins Gazette: October 11, 1999
October 11, 1999
VOL. 29, NO. 7


All University Computer Users Need to Protect Passwords

By Greg Rienzi
The Gazette
Johns Hopkins Gazette Online Edition

Locksmiths might still be in demand, but these days, numbers and letters, not chiseled-out metal, are the real keys. Whether it be to your house, car, computer system, ATM or credit card account, a punched-in code is fast becoming the front-line defense for all your valuable possessions and information.

These new keys, however, cannot be put on a ring. They go instead into the mind of the owner so that, at least in theory, it would take an individual with the powers of the Amazing Kreskin to get at them.

That is, unless you just tell someone your code.

Although people might think twice before giving out their credit card number to just anyone who asked for it, a recent report by the Office of Audits and Management Services has found that many Hopkins individuals aren't as secretive with their computer passwords and user IDs.

Barry White, manager of information systems auditing in the Office of Audits and Management Services, spent part of his summer learning the tactics of those who illegally try to obtain computer and network system access codes by doing nothing more than simply asking the users. The process is called social engineering, hacker terminology for getting needed information, such as a password, from a person rather than by breaking into a system. Hackers can thus bypass fire walls and other computer security measures by going through what might be the system's weakest link: the human at the keyboard.

One technique used by social engineers is to telephone a computer user and pretend they are someone in authority, like a network systems manager, and then invent a seemingly plausible situation that would justify the user's giving up his or her password or ID. For one month this summer, White led a series of social engineering tests--which included direct contact with computer users by voice or e-mail--to determine the level of security awareness at the university.

The findings, White says, were not encouraging.

"Social engineering techniques do work, even in higher education," White says.

Stephanie Reel, the university's chief information officer, says recent computer security issues at Hopkins should serve as a wake-up call that no computer system is 100 percent secure.

"Across the university, faculty, students and staff are becoming much more aware of the importance of information security. We are all beginning to realize that it is our responsibility to protect information," says Reel, adding that safeguarding computer systems has to be an ongoing effort with everyone's assistance. "Our information technology staff will continue to investigate tools and techniques to support this need."

White says the major factor at work in theft of information is trust. Users are lulled into a false belief that by giving out their password or user ID, they are being helpful, rather than potentially compromising to the security of private data and networks.

Anyone with an authorized password to a system is a security risk, White says, and more people should be aware of the dangers of user IDs and codes falling into the wrong hands.

"One aspect of the problem is that people don't associate their computer passwords with their own financial stability, as say they would with an ATM pin number," White says. "But giving out your password is a major security violation. There are hundreds of different networks here at Hopkins, and some people have access to more than one system."

White adds that even those with limited security access could be connected to larger mainframe systems that contain such valuable and private information as employee records or research data.

Luckily, according to White, the answer to the social engineering problem is rather simple: "The general rule is, don't give out your user ID, and never reveal your password to anyone unless it's ordered by a court of law," he says, "especially if you can't see the person, or it's someone you don't know." White smiles and adds, "Not even if President Brody asks you for it."

Other useful advice he gives regarding passwords and user IDs is "don't write them down." White says he personally has observed passwords left on Post-It notes affixed to monitors.

"It is also a good practice for users to change their passwords every 90 days or so," White says. The minimum length of the password should be six characters and no more than 15, according to White, and should consist of an alpha-numeric combination.

Stephanie Reel says that in order to protect sensitive information, computer security practices and procedures are likely to become more stringent in the near future.

"Within the next few years, we will begin to see legislation and regulation that will require us to become more aggressive in this area," Reel says. "Together we will find the best ways to comply with these regulations, while supporting the need for collaboration and communication across the university and health system. This will be a balancing act for sure."

For any questions pertaining to password administration, contact the Office of Audits and Management Services at 410-516-6391.