Passwords

Using LinkedIn’s New Two-Factor Authentication

The growing trend in sites adding two-factor authentication to their log in process has many feeling more secure in their social media and other online interactions.

With passwords being easy to compromise with phishing attacks, many users have been hoping for something more secure.  Two-factor authentication gives a double protection on your account, requiring you to know something (your password), and have something in your possession (a token).  The token can be any number of devices, cards or other physical items, often generating unique codes as proof you have the object.  Think of ATMs.  You need to have the ATM card (the token) and know your PIN in order to access your account and do any transactions at the ATM.  One without the other and you can’t get in.

LinkedIn is using a single-use code sent via SMS to whatever mobile number is listed on the account.  Your mobile device serves as your token.  This code is entered into the site after you enter your password to complete the two-factor authentication.  The idea behind this is if your password happens to be cracked or phished, as long as you don’t lose or compromise your phone, you are still safe from attackers logging into your account (though you should change your passwords and do a virus scan to be safe if your password gets compromised!).  

Want to enable this security feature for your own LinkedIn account? LinkedIn provides some instructions here:  http://www.slideshare.net/linkedin/two-step-verification-on-linked-in.  

Many other sites have similar security features so check out your account settings and give yourself an extra layer of protection.

SECURITY NOTES:

As with any security chain, there are ways this could possibly be compromised.  The easy way is if an attacker knows your password and stole your phone.  A more sophisticated way is if you get phished for both your password and the code just sent to you, and the attacker users both before the code expires.  How likely could these happen?  Well that’s up to your security prowess.  Read more on our website about creating secure passwords (https://www.rit.edu/security/content/password), avoiding phishing attempts (https://www.rit.edu/security/content/phishing) and best practices when it comes to mobile device security (https://www.rit.edu/security/content/mobile-devices). 

Password

Passwords

Having a strong password is increasingly important. Weak passwords can be "guessed" or "cracked" using free software available online, allowing unauthorized access that can result in identity crimes, extortion, or damage to reputation through the disclosure of sensitive or private information (yours and RIT's). Choosing a strong password and changing it regularly are two of the most important things you can do to protect yourself online.  Follow the password standard and subscribe to our social media outlets for password tips and tricks!

Password Standard

Documented Standard

Summary

  • Be at least 8 characters long (a longer passphrase is preferred)
  • Use both upper and lower case letters and at least one number, and one special character
    • We suggest putting numbers and special characters in the middle of the password, not at the beginning or end
  • Change it annually (at a minimum)
  • DO NOT use your username
  • DO NOT reuse for at least six changes of password

For more information, visit Creating Strong Passwords

RIT Computer Accounts

To change the password for your RIT Computer Account, visit http://start.rit.edu. Contact the ITS HelpDesk (585-475-HELP) if you've forgotten your password or it is not working.
 
Subscribe to RSS - Passwords