If you haven’t yet changed your McGill Password, it’s time to get to it.
Early next month, all faculty and staff members who did not change their password when prompted to earlier this year will have their McGill Password doubled.
For example, a staff member who has the password “McGill12” will have it changed to “McGill12McGill12,” An email will be sent out a week in advance to all affected users, giving them a final chance to change their password. After that, users who have not changed their password either have to type it out twice to log in to McGill systems (e.g. email, wireless, VPN, myCourses), or they can change it to something of their choosing.
The need to change passwords arose in April, when the Heartbleed vulnerability was revealed. Heartbleed makes systems vulnerable to data theft since attackers can use it to gain access to systems and then proceed to access and steal information without leaving a trace.
McGill’s IT Services responded quickly. The first step to mitigate any loss of information was to ensure that all of McGill’s central IT systems were evaluated and updates applied wherever needed. Once that was finished, all McGill faculty, staff and students were asked to change their McGill Password. The McGill Password length has also been increased from exactly eight characters to a variable length of eight to 18 characters.
While McGill is responsible for protecting all information systems containing sensitive information (personal, confidential, institutional and intellectual data), users have an obligation to ensure that their access to IT systems is not compromised. This means never sharing your McGill Username and Password or other credentials, even with family members, and being aware of how to spot and avoid phishing scams and other online security threats.
Every year, about 1,200 to 1,500 McGill accounts are compromised in one way or another. Cybercriminals frequently use compromised accounts to send spam, and steal whatever personal information they can. If the account belongs to someone who has access to McGill systems, the attacker can use the account to steal confidential or institutional data.
Even though our central IT systems are protected against Heartbleed, any accounts that have already been stolen still pose a security risk. Almost 20,000 members of the McGill community did change their McGill Password, but thousands more did not, and so additional actions have become necessary.
Unfortunately, Heartbleed will not be the last serious IT security threat McGill faces. Cybercriminals are continually finding exploitable flaws in software and systems, and data breaches are becoming all too common. From dealing with Heartbleed, we’ve learnt that many people do not take the threat of compromised data seriously, despite the fact they have access to confidential data and are responsible for safeguarding it. IT Services will launch additional initiatives to increase awareness of online security threats, and enhancements are being looked at that would make it mandatory to change your McGill Password yearly, much like what is currently in place for the Minerva PIN.