Using NetIDs requires that you enter your passwords in various online forms. This creates a risk of password theft. Stolen passwords endanger the entire Northwestern community because most security breaches start with a normal account whose password has been stolen.
There are a number of ways passwords can be stolen. Be aware of the following methods, keep your password private, and change it frequently to deter theft. More information about computer security is available at Secure IT @ NU.
- Password Peeking and Stealing
- Passwords in Scripts
- Passwords in Web Browser History
- Using Insecure Browsers and Servers Instead of Secure Forms
- Password "Sniffing"
- Charlatan Servers Stealing Your Password
Password Peeking and Stealing
One of the biggest dangers to NetID password security is users giving away their passwords to co-workers, family, or friends, or allowing them to be stolen due to carelessness. Please be aware that sharing your NetID password is in direct violation of Northwestern IT policy. You should memorize your password, but if you must write it down, be careful! Record the password as two separate pieces or otherwise disguise it. Do not keep it in plain sight or anywhere it might be found by others. Hackers have even found passwords in the garbage, so always tear up any copy of a password you discard.
Also, do not leave passwords as part of login scripts or other scripts on your computer, as your data could be stolen or compromised by someone looking through your scripts. Browsers that support forms support a password field that does not echo text written into it. When you type your password into one of these fields, it should appear in the box as a string of asterisks. All Northwestern Web forms that require passwords should use this type of field.
Passwords in Scripts
Passwords may be left in modem scripts or other scripts on your computer. These passwords can be stolen if the computer is stolen, or if the computer is accessed by someone while you are absent.
Passwords in Browser History
Web browsers allow users to revisit previously retrieved pages by moving backwards and forwards through page histories. Pages are also kept in the "view history" record of the browser. If you enter your NetID and password in a Web form, submit the form and then leave without quitting the browser, it is possible for the next person using that computer to access and use your password for other transactions. This is of particular concern if you use a browser in a computer lab. If you do, be sure to quit your browser before leaving.
Using Insecure Browsers and Servers Instead of Secure Forms
Most newer browsers permit "secure" connections with a secure server to prevent exposure to "sniffing" of the path between your computer and the server. A secure server has a path descriptor starting with https.
You can always look at the "document information" in the "File" menu to see how the page is certified. Not all secure paths can be trusted because charlatans may be trying to steal your password.
Password "Sniffing"
Unless you use a browser that supports encryption, your password will be sent in clear text on the network between you and the Web server you're connecting to. Most updated browsers (Internet Explorer, Firefox, etc.) support the necessary level of encryption.
Why is encryption important? If some unscrupulous person were to operate a "network sniffer" between you and our gateway, they could obtain your password and all other information in the page.
Charlatan Servers Stealing Your Password
A "charlatan" server may be operated by a hacker to steal your NetID password. This could be used to log into your account and hack other computers, thus hiding the hacker's trail and making you appear culpable.