OIS: FAQs: Protecting Your Passwords

What does 'unauthorized disclosure' of my password mean?

Your passwords to University computer systems are property of the University. The University has entrusted you with these confidential passwords, and only the University can authorize the disclosure of these passwords to anyone else. University policy is that your password is to be disclosed to nobody else, period. A user who discloses their password to another user can be subject to discipline, as can a user who logs in with another user's username and password.

How does unauthorized disclosure of passwords typically happen at the University?

Most dislosures of passwords are due to phishing. In phishing, a user is deceived into disclosing their own password to someone else. Phishing is a serious threat and is discussed at length in our phishing page.  Other typical scenarios include supervisors asking subordinates for their passwords, or supervisors sharing their passwords with subordinates so that the subordinate can approve documents on the supervisor's behalf or read the supervisor's emails.  Understand that these practices not only violate University information-security policy but also violate System policy regarding fraud and separation of duties. 

Why is disclosing a password such a big deal?

When User A discloses their password to Person B, Person B can now log in as User A and view any confidential information to which User A had access. This results in several problems. First, Person B may be malicious and misuse the confidential data to perform identity theft, which harms the people (i.e., the 'owners') identified in the confidential information. Second, if the owners of the confidential data are harmed by the unauthorized disclosure, the University may be subject to fines and lawsuits. Third, even if confidential information is not misused, the University typically is legally obligated to notify the owners and various government agencies of any such unauthorized disclosure, which is time-consuming and damages the University's reputation.

How do I protect my passwords from unauthorized disclosure?

  • Do not give your computer passwords to anybody, ever. Make some time and read our phishing page. The core message is to never give your passwords to anyone, ever. Following this one simple rule is the single most important thing you can do for the University's information security.
  • If you need to store your passwords, then use a password safe, a specialized program for securely storing passwords. There are many free password safe programs available on the Internet.  Perhaps the most popular is KeePass, a free program that works on PCs, Macs, Linux, and smartphones.  You store all your passwords in the password safe then lock the safe with a very strong password or passphrase. Now all you have to remember is that password/passphrase. You can then store the safe on a cloud service like Google Drive or Dropbox.  Now you can access your passwords from any Internet-connected computer.
  • Do not write your passwords on a post-it note and stick it to the bottom of your keyboard. Do not write your passwords into a Word document and store it on your hard drive without encrypting it.  These practices are forbidden by University policy.