3 Reasons the University Should Up Its Security Game
I recently changed my password for an account at a university with which I am affiliated. It went something like this:
New Password: XPNRWDeai60h$4IQtjLtZ8&9AV Error: Cannot use special characters New Password: XPNRWDeai60h4IQtjLtZ89AV Error: Cannot use a character more than once New Password: XPNRWDeai60h4IQtjLZ89AV Error: Password must be between 8 and 12 characters New Password: pasword123 Success!
The university has fallen behind on security. And it's not just the password policies, but security in general. I have yet to see a university use 2-factor for all student accounts. SSL still seems to be a rarity, and I am never surprised to find that when it is there, I have to click through an insecure certificate dialog because it was issued by an unknown CA. In short, the university is falling behind on information security.
It seems to me that there are three reasons why the university should up its game when it comes to security: one ideological, one practical, and one pedagogical.
The University as the Center for Excellence
Universities are forward looking. New research, new publications, new ideas, these days it's even about new campuses and new buildings. When we walk into the campus library, we expect stability and order. When we walk into the cafeteria, we except cleanliness and care. And when we get to the classroom, our expectations soar: we expect thoroughgoing knowledge, high academic standards, and unparalleled integrity.
So why would we accept 20-year-old security practices, slapdash tools, and blasé IT staff?
The University as Confidence Holder
There are certain pieces of information that have a big impact on our lives. Bank account numbers are one. Credit card numbers, too. Medical records make the list. But so do college records. In some situations, transcripts may get you (or lose you) a job. And even when it's not about the grades, it is increasingly common for employers to verify that you went to the school you said you went to, and got the degree you said you got.
Imagine what an attractive target this is for a hacker. A changed social security number, student ID, and name....
Students are also a lucrative base. A faked student fee will be paid unquestioningly. An email that appears to come from the administration will be answered honestly. Students are good targets.
The University as Educator
At once this seems most obvious and most controversial. The university is a place of education. And educating students is part of the deal, even if it's just educating them about how to keep their own accounts secure. Yes, I know that universities are not first and foremost IT institutions, but that does not get it off the hook.
The university is responsible for teaching (or reinforcing) good security habits.
Habituating students to use (and expect to use) two-factor auth is a great example. Teaching them to expect SSL, to suspect broken certificate chains, and to distrust sites that use poor security -- these are strategies that we can impart on students early. But too often, the university is doing the opposite: it's training individuals to practice poor security.
There is no doubt in my mind that security is hard. And universities often have a volatile user base, changing frequently and using tools haphazardly. But these are not sufficient excuses. The idea of the university demands excellence. The data the university has access to demands dilligence. And the pedagogical role of the university demands security by example.