Skip to content

Published on

Between all of your online accounts, whether personal or work accounts, you probably have many unique — and complex — passwords to manage.  And since you know better than to write them down in a notebook, have them on sticky notes hidden under your mouse pad, or stored digitally on your desktop, what are you supposed to do? 

Passwords are one of the most vulnerable cyber defenses used to protect our online accounts, as passwords are the only barrier between online accounts and cybercriminals who have a desire to access to our data and systems. Utilizing a password manager is a security best practice that cyber professionals are recommending for us.  

Along with other security tips, password managers minimize the risk of mis-managing our passwords. The question that arises here, are password managers secure, and what is our responsibility here to manage the password manager? 

What is a Password Manager?

A password manager is software that allows users to generate passwords, store, and manage account information including usernames and passwords all in one location. Password managers offer other features such as complex password suggestions, identifying weak or repeated passwords used, and alerting its users when their credentials appear compromises. When you use a password manager, you will set a password that is often referred to as the “master” password.  This will be the only password you will need to remember.

Password managers are available in different formats: 

  • An online service hosted by a third party and accessed through a website portal. This type is useful if you need access to the password manager from multiple devices. 
  • Software installed locally on a workstation that can operate either completely offline or connected to the internet to synchronize your information to a cloud database and get software updates.  

Are Password Managers Secure? 

Password managers can offer a high level of security level for account credentials and information, if best practices are used to secure their master password.  Whether you use, or planning to get, an online, or an offline password manager, you need to follow the following practices: 

  • Do your research and get a trusted password manager software that has a high reputation in the industry. 
  • Use a strong master password for your password manager account and never forget it. Some password manager vendors would never retrieve your account if you can’t remember your master password. 
  • Enable two-factor-authentication (2FA) to your password manager account for an extra layer of security.  
  • Keep your password manager software, web browsers, and all other software you use up-to-date. 
  • Audit the list of devices that are approved to access your password manager. 
  • For work-related accounts, always use password managers that are approved by your organization. Follow your organization’s policies, standards and procedures when processing, storing or sharing work-related data. 

Remember, if password managers are managed appropriately, they will offer you the level of security you are looking for to your online accounts’ passwords. 

This post is presented by the GW IT Cybersecurity Risk and Assurance team with information from CISA.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Longer passwords make brute force attacks more difficult. Brute force attacks involve malicious actors using powerful computers to guess your password. As you can see in the following chart provided by researchers at Hive Systems, the best protection against Brute Force attacks are complex passwords containing at least 13 upper and lower case letters.

It is estimated that passwords of this moderate complexity will take 241 million years to crack.

Adding numbers to the moderate complexity password containing 13 upper and lower case letters increases the password resilience against compromise to 2 billion years.

An even more secure password that adds symbols, would increase the 13 character password resilience to 11 billion years.

For extreme protection, particularly to guard against improvements in processing power of computers, an 18 character password containing numbers, upper and lower case letters, and symbols would take an estimated 19 quintillion years to compromise.

It is important to note that password complexity protects against automated guessing. A 13 character password that contains mixed case words may be difficult for a computer to compromise. However, access to personal information may enable a person to guess a password much more easily than a computer. Consider the implications of family names, birthdates, and occasions being shared on social media and how this information provides some contextual information that could assist someone in their password guessing attempts.

Source: Hive Systems https://www.hivesystems.io/password

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

GW Cyber Risk - One Minute Read

The FTC provides information concerning fake text messages you might receive. We have included excerpts of the content below as well as a link to the full article. The article describes the problem, provides examples, as well as offers tips on actions you can take if you receive fraudulent texts. Our bottom-line advice, validate text messages prior to taking actions they request using one or more of the following:

  • Pause and think before replying or following links. Even 'urgent' shipping notices can wait a few minutes.
  • Check you order history on merchants' websites. You have alternative means to check on order shipping status.
  • Review order confirmations and shipping updates in email messages to cross reference order messages.
  • Contact the sender, whether it is your boss or someone else, through a trusted method to verify they were the author and confirm details.

How to Recognize and Report Spam Text Messages - FTC Article

Excerpted from: https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages#what_to_do

If you have a cell phone, you probably use it dozens of times a day to text people you know. But have you ever gotten a text message from an unknown sender? It could be a scammer trying to steal your personal and financial information. Here’s how to handle and report unwanted text messages.

fraudulent SMS text example

Spam Text Messages and Phishing

Scammers send fake text messages to trick you into giving them your personal information — things like your password, account number, or Social Security number. If they get that information, they could gain access to your email, bank, or other accounts. Or they could sell your information to other scammers.

Scammers often try to get you to click on links in text messages by promising you something. Scammers might

  • promise free prizesgift cards, or coupons — but they’re not real
  • offer you a low or no interest credit card — but there’s no deal and probably no card
  • promise to help you pay off your student loans — but they won’t

Scammers also send fake messages that say they have information about your account or a transaction. Scammers might

  • say they’ve noticed some suspicious activity on your account — but they haven’t
  • claim there’s a problem with your payment information — but there isn’t
  • send you a fake invoice and tell you to contact them if you didn’t authorize the purchase — but it’s a scam
  • send you a package delivery notification— but it’s fake

The messages might ask you to give some personal information — like how much money you make, how much you owe, or your bank account, credit card, or Social Security number — to claim your gift or pursue the offer. Or they might tell you to click on a link to learn more about the issue. Some links might take you to a spoofed website that looks real but isn’t. If you log in, the scammers then might steal your username and password.

For more information and the full article please visit the FTC website https://consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages.

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

The following Infographic provided by Cybersecurity & Infrastructure Security Agency (CISA) contains ways for everyone to stay safe online. A download link for the infographic is provided below.

4 ways to stay safe online: Recognize & report phishing Delete phishing messages Use Strong Passwords Turn on Multifactor Authentication (MFA)
CISA Infographic - Tips to stay safe

Secure-Our-World-4-Easy-Ways-Stay-Safe-Online-Tip-Sheet-page-1Download

This post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse@gwu.edu

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp@gwu.edu, or visit ithelp.gwu.edu

Published on

Cybersecurity is a shared responsibility for everyone. You can help #secureoutworld through direct action. Account compromises impacts individuals, families, organizations, and employers. The following tips can assist you in keeping your information and GW data safe.

The Core 4

As with most things in life, an ounce of cybersecurity prevention is worth a pound of cure. Follow our "Core 4" to show hackers you mean business.

1. Passwords / Password Managers

Use long, complex, and unique passwords. Every password should be at least 12 characters long and include letters, numbers, and symbols (like % or $). Ideally, your passwords should be random strings of characters, not recognizable words. Very importantly, each account should be protected by its own unique password. To create and store all these passwords, use a password manager!

2. Multi Factor Authentication

Switch on multi-factor authentication. Multi-factor authentication (MFA), sometimes called 2-factor authentication, adds a whole other level of security beyond your password. MFA will use biometrics, security keys, text messages, or an app to make sure you are you, even if a hacker gets access to your password. Enable MFA for any account that allows it!

3. Recognize and Report Phishing

Think before you click. Learn how to identity phishing messages, which will often try to inspire panic or urgency. Take a few seconds to read through the message and who sent it. With a little knowledge, you can spot most phishing attempts within moments.

4. Automatic Updates

Turn on automatic updates. The best way to get the latest, strongest security is to install software updates as soon as they are available - and the best way to know when they are available is to turn on automatic updates! Set it, forget it, and you won't regret it!

Checkout the Events Calendar for details on webinars related to the Core 4 and other cybersecurity topics.

Source: National Cybersecurity Alliance https://staysafeonline.org/online-safety-privacy-basics/hacked-accounts

This blogpost is offered to you by the GW Information Security and Risk Services team. 

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

Published on

Phishing occurs when criminals try to get us to open harmful links, emails or attachments that could request our personal information or infect our devices. Phishing messages or “bait” usually come in the form of an email, text, direct message on social media or phone call. These messages are often designed to look like they come from a trusted person or organization, to get us to respond.

The good news is we can avoid the phish hook and keep our accounts secure with these tips!

Stay Safe with Three Simple Tips

1. Recognize

Look for these common signs:

  • Urgent or emotionally appealing language, especially messages that claim dire consequences for not responding immediately
  • Requests to send personal and financial information
  • Untrusted shortened URLs
  • Incorrect email addresses or links, like amazan.com

A common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI) some emails will now have perfect grammar and spelling, so look out for the other signs.

2. Resist

If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to protect yourself and others. Typically, you’ll find options to report near the person’s email address or username. You can also report via the “report spam” button in the toolbar or settings.

3. Delete

Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. Just delete.

If a message looks suspicious, it's probably phishing. 

However, if you think it could be real, don't click on any link or call any number in the message. Look up another way to contact the company or person directly:

  • Visit a verified website for the company and use this contact information. To find verified websites, search for the site in your web browser or type the address yourself if you’re sure you know it.
  • Use another way to reach the person to confirm whether they contacted you. For example, if you get a strange message from your friend on Facebook, and you have their phone number, text or call them to ask if they sent the message.

GW faculty, students, and staff can forward suspected phishing emails to abuse[@]gwu.edu.  This account is monitored by the GW IT Security team.  They investigate phishing reports to ensure that others at GW do not have the phishing message in their inbox.

Additional Tips available on the Secure-Our-World-Phishing-Tip-Sheet  as well as in the following video published by CISA.

Recognize and Report Phishing (Audio Description)

Posting content obtained from https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

Published on

Creating, managing, and using complex passwords for the many sites and services we all access is a daunting task.  While password managers can assist with the memorization and management challenges, traditional passwords do not leverage modern security capabilities.  A rapidly evolving technology involves passkeys in place of passwords.  At a basic level passkeys leverage your personal computer, mobile device, or even a password manager to provide a validated (through finger print for example) encrypted response to login challenges from a website you have an account on.  This process effectively replaces the matching of a password you submit to one stored on the site.  In the passkey scenario you are providing an encrypted answer to a unique challenge and all of the communications are encrypted.  Through the use of public key and private key technology and in underlying technology, your identity is verified and access granted without your private key being transferred.   There is a more technical explanation of the passkey process here: Passkey (Passkey Authentication) Technopedia June 2023. Basic passkey process steps:

  1. You establish a passkey on a website that supports it using a device that supports the technology.
  2. Once established, when you access a site instead of entering a password, your device will ask you to verify your identity
  3. You use device-based authentication (PIN number, fingerprint, or facial recognition) on your personal device to authorize website access.
  4. Your device responds to the site through an encrypted message confirming your identity.
  5. The website then grants you access.

The process of the challenge question to your device and the messaging back to the site is encrypted, your private key is not transferred, and information about the web site all combine to make this login approach more secure than using passwords.  Using passkeys should help reduce inadvertent credential compromises through fraudulent websites with the added safeguards built in around site verification. A PCWorld article - Passkeys Explained: How to Embrace a Passwordless Future Today from May 2024 has additional information on passkeys and notes there are directories of providers that support passwordless logins:

Services with passkey support

There is no official directory of all providers with passwordless login. Lists are provided by Passkeys.ioPasskeys Directory, and Keeper, among others.

If you utilize a password manager, most offer support for managing and using passkeys. Cloud services can enable passkey use across multiple devices.  While there are many options to explore a simple way to get started would be using solutions from vendors deeply connected to devices and the device operating systems software like Google, Apple, and/or Microsoft.

Ars Technica published an article in May of 2023 with frequently asked questions about passkeys  Passkeys may not be for you, but they are safe and easy—here’s why   The article covers common questions about privacy, personal account security, and trust.  The following excerpt from the site recaps how the passkey process works while enhancing your personal cybersecurity. (emphasis added).

Que: Passkeys give control of your credentials to Apple/Google/Microsoft, to a third-party syncing service, or to the site you’re logging in to. Why would I ever do that? Ans: Assuming you’re using a password to sign in to a service such as Gmail, Azure, or Github, you’re already trusting these companies to implement their authentication systems in a way that doesn’t expose the shared secrets that allow you to log in. Logging in to one of these sites with a passkey instead of a password gives the sites the same control—no more and no less—over your credentials that they had before.

The reason is that the private key portion of a passkey never leaves a user’s encrypted devices. The authentication occurs on the user device. The user device then sends the site being logged in to a cryptographic proof that the private key resides on the device logging in. The cryptography involved in this process ensures that the proof can’t be spoofed.

Key takeaways:

  • Passwords will still be present for many sites for some time.
  • Passkeys provide more secure authentication for sites and device that support them.
  • Explore passkeys on a couple of sites and expand your use as you gain experience.
  • It is a good idea to try the technology, as it will become more prevalent and in some cases required to access web applications.

unofficial GW hippo mascot holding a lockThis post is presented by the GW IT Cybersecurity Risk and Assurance team.

#SecuringGW is a shared responsibility, so if you see something, say something. Report suspicious digital activities, including phishing emails, to abuse[@]gwu.edu. 

IT Support Questions? For IT support, please contact the Information Technology Support Center at 202-994-GWIT (4948), ithelp[@]gwu.edu, or visit ithelp.gwu.edu

 

Published on
Before spilling your digital secrets to ChatGPT or other AI tools, remember it's more sieve than vault!  The amount of stolen ChatGPT accounts is just unbelievable. Why? Because criminals know people copy/paste sensitive data into ChatGPT conversations. Here are a few tips to keep you safe when using any AI tools:
  1. Beware of fake AI apps and browser extensions that may be malware or phishing scams
  2. Never enter sensitive information or PII while using AI tools
  3. Treat AI tools like a knowledgeable but overconfident friend, and use them cautiously
Want even more tips on how to stay safe using AI? Continue reading or watch this 1-minute video: (material by Wizer-training.com)
  • Never enter sensitive information of personally identifiable information (PII) while using AI tools.
  • Remove mentions of GW, faculty, staff and student names from content put in AI tools.
  • Ensure that AI-generated information is validated through other sources prior to using.
  • Understand potential bias in AI-generated content.
  • Thoroughly review AI-generated code before using.
  • Treat AI tools like a knowledgeable but overconfident friend and use them cautiously.

    • Content provided by wizer-training.com

Published on

The National Cybersecurity Alliance partnered with Consumer Reports to bring you a new animated video [opens YouTube link] about how you can take control of your data! Check out "The Tale of Privacy Peyton" below, and download Consumer Reports' Permission Slip.

Image of for Tale of Privacy Peyton Video

Published on

Content from National Cybersecurity Alliance. (2023, November 22). Take control of your data.

ALL YOUR ONLINE ACTIVITY GENERATES A TRAIL OF DATA

Your online activity creates a treasure trove of data. This data ranges from your interests and purchases to your online behaviors, and it is collected by websites, apps, devices, services, and companies all around the globe. This data can even include information about your physical self, like health data – think about how an app on your phone might count how many steps you take. 

You cannot control how each little piece of data about you and your family is collected. However, you still have a right to data privacy. You can help manage your data with a few repeatable behaviors. Your data is valuable and you deserve to have a say! 

Here are some simple, easy tips you that will help you manage your data privacy:

Know the tradeoff between privacy and convenience 

Nowadays, when you download a new app, open a new online account, or join a new social media platform, you will often be asked for access to your personal information before you can even use it! This data might include your geographic location, contacts, and photos.

For these businesses, this personal information about you is tremendously value — and you should think about if the service you get in return is worth the data you must hand over, even if the service is free.

Make informed decisions about sharing your data with businesses or services:

  • Is the service, app, or game worth the amount or type of personal data they want in return?
  • Can you control your data privacy and still use the service?
  • Is the data requested even relevant for the app or service (that is, “why does a Solitaire game need to know all my contacts”)?
  • If you haven’t used an app, service, or account in several months, is it worth keeping around knowing that it might be collecting and sharing your data?
Adjust privacy settings to your comfort level

For every app, account, or device, check the privacy and security settings. These should be easy to find in a Settings section and should take a few moments to change. Set them to your comfort level for personal information sharing; generally, we think it’s wise to lean on the side of sharing less data, not more.

You don’t have to do this for every account at once, start small and over time you’ll make a habit of adjusting all your settings to your comfort. We have in-depth, free resources like our Manage Your Privacy Settings page that lets you check the settings of social media accounts, retail stores, apps and more.

Protect your data

Data privacy and data security go hand-in-hand. Along with managing your data privacy settings, follow some simple cybersecurity tips to keep it safe. We recommend following the Core 4: 

Manage Your Privacy Settings

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.