Like any organization with a significant Internet presence, the University of Waterloo is facing ongoing cyber security challenges with passwords. To help address these challenges, the Information Security Services team recently conducted a password audit on central campus systems. Owners of accounts with passwords that did not confirm to the University password standards were contacted over July and August by Information Systems & Technology and instructed to update their password in WatIAM.
Restricting use of breached passwords
A recent change to the WatIAM system will now prevent employees from setting a password that has been identified as one of over 550 million breached passwords. In addition to the adoption of two-factor authentication, this change will help protect against two growing security risks:
-
Credential stuffing: The automated injection of breached username/password pairs to gain access to user accounts.
-
Password spraying: Attempting to gain access to a large number of user accounts using common passwords (made more available by the increase in breaches over the years).
Take an active role in keeping yourself and your data safe
Employees are encouraged to use a passphrase and can learn more about this by visiting the Cyber Awareness website, https://uwaterloo.ca/cyber-awareness/passphrase. To check to see if you've "been pwned", visit the Have I Been Pwned website, https://haveibeenpwned.com/.
