Necessary annoyance: Strengthening cybersecurity
February 1, 2023
Security is and always will be a top priority of educational institutions like Simpson College. In the technological age, why should cybersecurity be treated any differently?
In the past, students and faculty at Simpson would use an eight-digit password for school accounts and access to necessary services and products. Every year, everyone on campus would be responsible for resetting their password to a different eight-character password. As this cyber-tradition continued, hacking and Zoom bombings became increasingly relevant and left lasting scars on campus.
Simpson’s Chief Information Officer, Dan Sloan, readily acknowledges the issues associated with the previous practices of password usage. “Using modern computers, we can crack those [eight-character] passwords pretty fast. Like in minutes,” he said.
The National Institute for Standards and Technology (NIST), which Sloan cited, sets many Information Technology (IT) standards and has begun recommending longer passwords be used to increase the time a hacker would need to get access to information.
Once fully switched over, Simpson will require 14-character passwords. By requiring a longer password, password resets would only be necessary when accounts are compromised, said an email from IT earlier this year.
With resets set to become less frequent, the hassle associated with the practice will also dissipate. Resetting passwords is far from the favorite pastime on campus. “I’m glad I won’t ever have to do that again,” sophomore Anna Schewe said. One year when resetting her password, she admits she had to get IT involved to help with problems that arose.
“With the modern state of computing, it will take years to crack that [14-character] password,” Sloan said. The 14-character password requirement that is being implemented also comes without the stipulation of using different types of characters or symbols, which can reduce the overall complexity of the passwords students and staff create. Passwords will likely become easier to remember, Sloan said. With the new requirements, a password can be as simple as a phrase and spaces are allowed for use.
“This password policy, in the long run, is going to be easier for everybody,” he said.
As policies and regulations change, Sloan must continually adapt. The better question to him is not if, but when the next ransomware attack will occur.
“Unfortunately, we have moved from a trusted environment to a zero-trust environment and that has to do with the way information systems are changing,” he said.
Institutions of higher education have become large cyber-attack targets due to the large amount of data they possess, he said. Not only is there personal information that can be stolen, but research as well.
Cyber-attacks have shut down colleges as well, Sloan said, speaking of an institution based in Illinois, Lincoln College. The school lost all the data for its incoming first years in Dec. 2021 and could not survive. The cyber-attack ultimately led to the ceasing of operations for the 157-year-old institution, which shows a grim example of the threat ransomware and other cyber-attacks pose to colleges.
Simpson IT made the switch to the 14-character requirement on Jan. 23 so students can choose to make the switch now by going to https://simpsoncollege.onelogin.com and clicking ‘Forgot Password,’ or they can wait until their password expires and reset it then.