My unibas account: An exclusive password - because we're worth it
Many services at the University of Basel and on the Internet are not public, but are only available to authenticated users. Authentication often also determines what the logged-in person is allowed to do on the system. In this case, the password is the only "key" to the service and data. At the University of Basel, more and more services are made available via the central e-mail account: E-mail, VPN access to the university network, logging on to computer systems or the self-services for administration and teaching. It is therefore all the more important that your password remains absolutely confidential! As a short rule: Treat your Unibas password as secure and confidential as the PIN of your credit card.
The only protection for your e-mail box, VPN access to the university network, access to more and more services and for computers in the university network is the combination of login and password. That these accesses are interesting and lucrative for strangers can be seen, for example, in the constant phishing attacks against Unibas accounts. Unfortunately, there have been and still are abusive accesses with "stolen" Unibas accounts from many countries. A secure password is in the interest of the account holder: If an illegal or even criminal action is carried out with an account, the person holding the account must first justify himself!
How do unauthorized people get Unibas passwords and what can YOU do about it?
- The passwords are too easy and can be guessed => use secure passwords (see below).
- Passwords are passed on (e.g. phishing) => never pass on your Unibas password! The IT-Services do not send e-mails with links to websites where you have to enter your password.
- Passwords are eavesdropped on via contaminated computers (e.g. in an internet cafe, at friends' etc.) => change your password if you have entered it on such computers.
- Passwords are eavesdropped on during network transmission => use only encrypted transmission (https, vpn, imaps) for password transmission.
- Passwords are found on unsecured servers on the internet => do not use your Unibas password anywhere else, certainly not in connection with your email address.
- In general, it increases security if you change your password occasionally or, even better, regularly - should it have fallen into the wrong hands, they can no longer abuse your account after a change.
- You use the same password in many places: If you use a password in many places, then one "hacked" place is enough - and an attacker has access to many systems. Especially if the e-mail address or login were also specified. Unfortunately, it happens again and again that websites with login data are taken over by attackers. For "important" accounts / accesses you should therefore use individual passwords. (See also: Behaviour)
- Your password is too simple: If your password is too simple and therefore easy to guess, you make it easy for attackers. Especially if the service allows any number of password attempts.
- Your password is too short: A password that is too short can be guessed more easily. If it has only a few characters, an attacker can automatically check all the character combinations in a short time. If someone gets access to encrypted passwords, the shorter they are, the faster they are to "crack".
- Your password has been unchanged for years: If you entered it at some point on a manipulated computer (e.g. in an Internet cafe), it has been usable by strangers ever since. Changing it regularly keeps the time short in which a secretly "tapped" password can be used illegally.
- Your password is stored on your computer: If you store all the passwords you use directly on the computer, you run the risk of attackers getting hold of that data. Attackers can be a fellow user of the computer or a virus that scans your computer's data. An exception to this is passwords stored in encrypted form, e.g. in a password manager.
If you leave your workplace without shutting down the computer, a so-called screen saver should start immediately / within a short time, which is provided with the password protection. This means that only after entering your password the actual screen is visible again and the computer can be used again.
A Unibas account in the wrong hands:
- Can be misused for phishing / scam / spam emails. The consequence of this is not only that your e-mail account is "burned", very quickly the university's e-mail servers are then blacklisted worldwide as "spam slingers", so that many systems no longer accept e-mails from our e-mail servers at all!
- can be used as a unique sender for all kinds of illegal e-mail activities (e.g. insults or defamation).
- can give an intruder access to the university network. Once on the internal network, he can attack many services and data that (inaccessible from the outside) may be confidential and/or poorly secured.
- allows non-authorized persons to access (literature) databases via VPN, which according to the contracts are only accessible to university members. In case of misuse, the owners of these data can deny the university further access.
- gives strangers the possibility to read confidential e-mails that you send or receive.
- can provide access to more and more internal services from the internet in the future (e.g. via VPN to the university network and then to file servers / computers / services). Industrial and scientific espionage are no pipe dreams.