Password changes help secure accounts

Ruben Castillo, senior information security analyst for Baylor ITS and information security analyst for Baylor ITS, Will Telfer, encourage using phrases, songs, or anything that will require more specific characters to ensure a more unbreakable password. Claire Boston | Multimedia Journalist

By McKenna Middleton | Opinion Editor

Every year, Baylor students, staff and faculty are required to change the password they use to log into sites like Bearweb, Outlook and Canvas. Changing passwords so frequently may seem like a hassle, but Baylor ITS information security analysts say it can help boost the security of your accounts — not just at Baylor, but on all online platforms that require a login.

“We tend to reuse passwords from site to site. And so if, say, Amazon were to experience a breach, and you’re using the same password at Baylor and you never change it, then it’s very easy for that password to get traded online and for people to break into different accounts,” information security analyst for Baylor ITS, Will Telfer, said. “Because we have so many usernames and passwords now, people tend to reuse them. So it’s a good idea to change them every once in a while on any site.”

Ruben Castillo, senior information security analyst for Baylor ITS, said different types of websites may warrant more frequent password changes than Baylor requires.

“It depends on the network you’re in and the data you’re dealing with. So if you’re dealing with highly sensitive systems, I’ve seen that every three months is too long,” Castillo said.

Not only does Baylor’s system require users to change their passwords every year, it also specifies that the password be unique. Castillo said people tend to use the same password from site to site with small variations, but these can still be easily hacked as easily as accounts that don’t change passwords at all.

“The root of the password is still there so it’s easy once you crack 90 percent of the password,” Castillo said.

Castillo said the longer the password, the more secure. With longer passwords, however, users run the risk of forgetting them. Many internet users opt to let their browsers remember their passwords and autofill their login information for various sites. Telfer said that despite the benefits of this service, it can run its own risks for users.

“It does make things very convenient, but it also means if someone sits down at your computer, they can log into your sites. That password is stored in a file somewhere in a cookie,” Telfer said.

There are a few strategies users can utilize to remember passwords while also keeping their account secure. Password managers create strong, unique passwords and store them in one secure location. They also often offer a free version, but also have upgrade subscription options as well. These password managers will create long passwords with random characters that users can organize to later copy and paste to access their credentials by utilizing one master password. Commonly used password managers include LastPass and KeyPass.

Although it may seem risky to keep all your passwords consolidated in one place, CNET explains that these services often come with two-factor identification, “limiting the ability for someone across the world to gain access to your information.”

Some websites even offer their own form of two-factor identification, including Baylor’s own two-factor identification system called Duo, which provides an extra layer of protection for accounts. Since Baylor introduced Duo in summer 2016 for Bearweb and expanded the two-factor authentication to other services like Outlook, Telfer said cybersecurity of accounts has improved drastically.

“Our compromised accounts — where people were giving away their credentials in phishing emails — we were seeing over 100 a week; we’ve seen two this month,” Telfer said.

Another method Castillo and Telfer recommend for creating secure passwords is using a phrase, song lyric or quote. In that way, passwords will be long, include capital and lowercase letters and end in punctuation, meeting most of the criteria for secure Baylor passwords. Castillo suggests substituting some numbers for letters like “3” instead of “e” or 1 instead of “i” to include numbers in the password, further complicating it and protecting it from potential threats.

“Then your password becomes longer, which is always a stronger password, but it’s also easy to remember,” Telfer said.

At the same time, Telfer said sometimes changing passwords too frequently can make the account less secure.

“So one of the reasons why we’ve gone with a longer time frame is, if you make people change their passwords frequently, they’re more apt to write it down and leave it in an insecure location because they don’t remember it … You don’t want to change your password everyday. That’s going to make it too hard to remember. But if you want to change your password more frequently than every year at Baylor, you can. You’re more than welcome to. Whatever system works for you is fine,” Telfer said.