• F&A Home
• ITS
• News
• Articles

March 11, 2009

Changing Your Password - Separating the Scams from the Legitimate Requests

We have seen an increase in the number and sophistication of password scam emails recently, and have also implemented a new requirement that all RIT users change their account password every 120 days. These two items taken together have caused some confusion. We hope this message provides clarification. Please read it carefully - your immediate action may be required.

Password Scams

Over the past couple of weeks we have seen an increase in the quantity and sophistication of scam emails designed to trick people into giving away the username and password for their RIT computer account. These "phishing" emails have become more clever and deceiving over time - some address the user by name, most are much better written than those in the past, and some are even made to look like they come from a legitimate RIT support organization.

Despite their sophistication, there is one easy way to spot and avoid these scams: If an email asks you to reply with your username and password, IT IS NOT LEGITIMATE. This is true not only for RIT but for other organizations and services as well. No employer, bank, or legitimate service provider will ever ask you to send you user name and password via email. Please be aware of these scams, and do not respond at all. We would appreciate you forwarding these emails as you see them to spam@rit.edu. This will allow our spam filters to better clean inbound messages to your Inbox.

Legitimate Password Change Notifications

ITS has recently implemented a password expiration procedure to ensure that all RIT computer accounts comply with the RIT Password Security standard, which requires that passwords be changed every 120 days. Legitimate weekly email notifications (such as the one below) have been sent for months to those accounts whose passwords will expire. If you receive one of these emails, you must change your password otherwise it will expire starting on March 16, 2009. Legitimate emails such as these are easy to distinguish: They direct you to a secure and trusted website - in this case http://start.rit.edu. If you are at all unsure of the source of the email, it is always a good practice to type the website name into your browser, rather than clicking on the link within the email.

If you have not changed your password in 2009, please quickly check if it will expire soon. To do this:

1. Go to http://start.rit.edu
2. Click on "Password Change" in the upper left corner.
3. On the next screen (titled "Changing Password for {Your Account Name}") you should see a date when your account will expire. If you do not see an expiration date here, your password may expire as soon as Monday, March 16, 2009. If this is the case, please hit the "Continue" button and follow the instructions for changing your password.

If there are any questions about this, please ask - we are here to help. The ITS HelpDesk can be contacted at 585-475-4357 (p), 585-475-2810 (tty), or via email at helpdesk@rit.edu.

Thank you all for helping to keep RIT confidential information safe and secure.

Dave Pecora
Director, ITS Support
Information and Technology Services
Rochester Institute of Technology
(585-475-7646)
Dave.Pecora@rit.edu

Ben Woelk '07
Information Security Communications and Training Specialist
Rochester Institute of Technology
Ross 10-A204
151 Lomb Memorial Drive
Rochester, New York 14623
585.475.4122
585.475.7920 fax
ben.woelk@rit.edu
http://security.rit.edu/dsd.html

Sample of a Legitimate RIT Password Change Notification

RIT computer accounts now require that password changes be made at least once every 120 days. ITS will begin expiring passwords on Monday, March 16, 2009. You are receiving this message because the password for the account [Your RIT Computer Account] is due to expire on (or soon after) March 16. To prevent your password from expiring, please change your password as soon as possible. If you allow your password to expire, you will need to contact the ITS HelpDesk in person or by phone to regain access to your account.

To change your RIT computer account password, visit http://start.rit.edu and select the "Password Change" option on the left hand menu bar.

You can view the RIT Password Standard on the Information Security Office (ISO) website, at http://security.rit.edu/password.html. If you have questions about the standard, you can reach the ISO at infosec@rit.edu.

If you have any other questions, please contact the ITS HelpDesk at 585-475-4357 (voice), 585-475-2810 (tty), helpdesk@rit.edu (email), or in person Gannett Building (7b) room 1113.