Server Credentials and Access Control

Introduction

Servers can be targets for hackers thereforew it is important to have a strong protection against these threats. Common strategies for combating malicious threats include creating strong passwords and enabling 2-factor authentication for account access.

Best Practices

  • Unique Passwords for Each Account
    • For each account you control, it is recommended to make your password unique to that account.
    • If you have trouble keeping track of your passwords, try using a password manager like LastPass.
  • At Least 12 Characters in Length
    • As computers become more sophisticated, the time it takes to figure out a password shrinks. The goal is to make your password long enough as to make it too long for a computer to guess.
  • Enable 2-Factor Authentication
    • 2-factor authentication is highly recommended for any account that involves sensitive data. It requires the user verify with another device to gain access to the account before signing in. This can come in the form of text messages, dedicated authorization apps for your phone, etc.
    • 2-factor authentication is required for Virginia Tech accounts by using Duo. To learn more, view the Knowledge Base (KB) article on Duo 2-factor authentication.
  • Never Use Personal Information in a Password
    • If an attacker is determined enough, they can social engineer their way into your account. This can come in the form of checking social media or public records for information that might be used for a password or security question, such as the name of a beloved pet, type of car you drive, former street addresses, and birthdays.
  • Check Your Username and Password Against Data Breach
    • Part of the reason to change your password every three months is that login credentials get leaked onto the internet all the time. This could be caused by a number of malicious activities on the part of either the website itself not keeping itself secure, or an undiscovered vulnerability being exploited by malicious actors.
    • To see what breaches you have been involved in, you can visit Have I Been Pwned to run your username or password against a database of breaches to see if anything you have signed up for in the past has been attacked.
  • Use a Password Manager
    • Now commonly built into all of the leading internet browser applications, password managers are great ways to keep track of all the unique passwords you’ve created for websites. Each password manager has a singular master password to get into it to use it, so it is important to make the master password very strong and hard to guess, but memorable enough that you remember it when you need it.
    • Virginia Tech recommends using LastPass and offers free enterprise accounts for students, employees, and their family members. To learn more, see the KB article on Using VT LastPass.

How to Write Secure Passwords

Building a strong password is one of the first and most important steps in ensuring no one but yourself and those you authorize can access your system.

To view Virginia Tech’s password requirements and password examples, see the Changes to Password Requirements article published by the Division of IT. Following these password complexity rules for all accounts will ensure the best balance between safety and ease of use.

When creating and managing passwords, follow these rules to effectively balance convenience and security.

  1. Avoid using short, simple passwords. Instead, use:
    • At least 3-4 words (or a minimum of 12 random characters)
    • Capital letters
    • Special characters (e.g. #,@!$%^&*())
    • Numbers
  2. Don’t reuse passwords. Reusing passwords can be very dangerous, as it could give a hacker access to multiple accounts.
  3. Use a strong password manager. Virginia Tech offers free enterprise accounts for the LastPass password manager, which you can learn more about in this KB article.

Examples

To get an estimate of how secure your password is, go to PasswordMonster and enter a password. It will give you an approximate amount of time it would take for someone to figure out your password.

A strong password like dYk^4*NwNgEjyy would take 18 trillion years for an attacker to forcefully guess, otherwise known as brute forcing. Passwords like this one are generally considered the most secure, but are difficult to remember.

Another strong password like single-avenge-uncoiled would take approximately 4 million years to brute force. These kinds of passwords, made up of random words and separated by a symbol such as a space or dash, are commonly referred to as passphrases. They’re very secure and easy to remember.

YubiKey

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower cost device with only FIDO2/WebAuthn and FIDO/U2F support. -Wikipedia

A YubiKey is an important device to have if you are serious about protecting your data and the data of your employer. Many employers use YubiKeys already to protect important data from being lost by acting as the key to your account, quite literally.

Procedures

Changing Systems’ Passwords

Each of the below operating systems prompt the user upon account creation to decide on and choose a password, but if you find yourself without one, the steps at the links below will help get your account set up with one regardless of your operating system.

YubiKey Setup

Yubico, the company that owns YubiKey, has comprehensive guides written on how to set up a YubiKey complete with instructions tailor made for each of their products at this link. Additionally, the KB article YubiKey and D-100 Hardware Tokens for Duo 2-Factor Authentication includes instructions for setting up a YubiKey with Duo.

Resources