Kansas State University

search

IT News

Tag: password

Choosing security questions/answers; lessons learned from Palin e-mail hack and password security

The compromise of Alaska Governor Sarah Palin’s Yahoo! e-mail account last September offers many lessons about security, including the risk of using a free commodity e-mail service for conducting official business. Likewise, be cautious about what you store in your e-mail — the hacker posted some of Palin’s e-mail messages, photos, and her address book on the Internet. However, the focus of this article stems from the technique used by the hacker (purported to be a student from the University of Tennessee) to access Palin’s e-mail.

The perpetrator was able to change Palin’s password by answering three security questions — her date of birth, home zip code, and where she met her husband — answers easily discovered through simple Google searches. Challenge-response systems like these are common security features used in self-service websites for resetting a forgotten password, like the site used by the hacker to reset Palin’s Yahoo! password and access her e-mail. Even K-State’s eID Profile system uses a challenge-response security question to facilitate self-service password resets. Continue reading “Choosing security questions/answers; lessons learned from Palin e-mail hack and password security”

Password-stealing e-mail scams are back!

Not surprisingly, last Friday saw the return of a spear phishing e-mail scam that tries to steal K-Staters’ eID passwords by tricking them into replying to a bogus e-mail pretending to be from the “THE KSU HELP DESK <hlpdsk@ksu.edu>”.  What is surprising is that at least six K-Staters were duped by the scam and replied to the e-mail, thereby giving their eID password to criminals who promptly used the stolen credentials to sign in to K-State’s WebMail system and send large amounts of spam. This resulted in e-mail from K-State being temporarily blocked by Hotmail over the weekend.

Thus, a repeat of past warnings is warranted: K-State IT support staff will NEVER ask for your password in an e-mail! Nor will any reputable company. If you receive an e-mail asking for your password, assume it is a scam and delete it.

A copy of the scam e-mail from Sept. 5, along with dozens of other scams targeting K-State, is available on K-State’s IT security website.  Hints on how to recognize a scam are also available.

Password-change deadline for eIDs is Sept. 10

Wednesday, Sept. 10, is the deadline for changing passwords on K-State eIDs for the fall semester. This  mandatory password change each fall and spring semester applies to both individual eIDs and group eIDs.  It prevents long-term use of the same password (a known risk factor) and is the reason passwords cannot be reused in a two-year period.

  • To change your password:  Sign in on the eid.k-state.edu website,
    click “Change your eID password”, and follow the steps.
  • Forgot your password?  Call the IT Help Desk, 785-532-7722, and
    verify your identity. Staff can set a temporary password for you so
    you can sign in.
  • For more about passwords, including tips on choosing a good one, read the Password FAQs.

An e-mail reminder is typically sent to eIDs with unchanged passwords a week or
two prior to the deadline.