back to article Stolen university credentials up for sale by Russian crooks, FBI warns

Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI. According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and …

  1. WolfFan Silver badge

    Bah, humbug

    I am currently an adjunct instructor at a local community college. The IT people there are, umm, somewhat anal-retentive. Us faculty and staff must change passwords every 90 days; hashes for old passwords are kept for 36 password changes, or 9 years. Passwords must be at least 10 characters, at least one of which must be a lower case letter, an upper case letter, a number, and a symbol. Students must change passwords at the start of a new semester. Multi Factor Authentication is provided using the MS Authenticator app on smartphones, tablets, Win10 boxes, or Macs. If I log into Canvas (the Learning Management System) on any browser, on Mac, Windows, phone or tablet, I must authenticate. If I log into Workday, I must authenticate… even if I use a tab on the same browser as the Canvas login. If I log into webmail, again I must authenticate. The authentication lasts for 8 hours, or until I log in with a different browser, including a different browser on the same machine, whichever is the shorter. I must then authenticate again. For each service. Logging in to a school computer on the school network does NOT log you into services, you must authenticate for each. Now, the password is the same for all services, but not for anything external; logging into the textbook site uses the school ID, but a completely different password. If someone got my credentials they would also have to get my MFA stuff, and school passwords would be useless for non-school logins.

    Meanwhile, I used to do adjunct work for a different community college. I haven’t been there for six years. My credentials still work. I had a truly amazing amount of email.

    Some school IT people are BOFH level. Some are Boss level. Or lower.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah, humbug

      We changed our internal policies on password lifetimes to be practically the complete opposite of what you suggest. Frequent changes are usually pretty predictable. Old password +1 or similar.

      The theory espoused by correct battery horse staple is is a good one; and we back up the VPN with MFA.

      Single sign on is implemented for the more common systems; though there is a long way to go to get the rest into that space; reducing the number of passwords one needs to juggle (and preferably avoid writing them down).

      I'd say passwords are dead but alternatives aren't exactly readily available.

      1. MiguelC Silver badge

        Frequent change ≠ sound security

        Some word, a symbol (usually "-"), month and year numbers is, probably, the most common combination used for passwords that must be frequently changed.

        In those cases, if an old password is eventually obtained, the current one will be easily deducted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like