How NetID Passwords are Stolen
This article applies to: Security & Policy
You are tricked into giving away your NetID password
These days we are overwhelmed by fraudulent email messages and websites that try to steal personal information. These are often referred to as “phishes.” A common trick is to suggest that one of your accounts will be shut down unless you reply immediately with your password and other information.
You type your password into a fake Cornell website
Beware of fake CUWebLogin and Office 365 (outlook.cornell.edu) login pages! Malicious websites may include a plausible-looking or even an exact copy of either of these pages. Make sure you are really signing in at the Cornell CUWebLogin page. See verify if a website is who it claims to be (EV certs).
You use your NetID password for a non-Cornell account
Using your NetID password for other services, such as online banking, shopping, or discussion forums, increases the chances that it may be stolen, because these services may not transmit the password securely or could experience a security breach.
In December of 2010, gawker.com had around 1.3 million passwords (including corresponding usernames and email accounts) compromised, several of which belonged to people at Cornell. As is often the unfortunate case, some people were using their NetID as their username, or their Cornell email (which includes their NetID) for the non-Cornell website.
The data was a “dream come true for spammers,” reported news.softpedia.com (see Hackers compromise Gawker, expose user passwords). Since experience demonstrates that people often use the same password for most online accounts, hackers immediately began attempts to access Cornell email accounts using the exposed Gawker password and NetID information.
Avoid using your NetID as your login or account name for any non-Cornell services. If you have no choice, because the website automatically uses your email address for the account name, make sure to choose a password that has no similarity to your NetID password.
Your NetID password is too simple
Contemporary computers are so powerful that simple passwords can be cracked with minimal effort. See Set strong passwords (NetID and others). To test your password’s strength, go to the Manage Your NetID page and click Do you have a strong password?
Your computer is infected with software that snoops for your NetID password
Sometimes a computer infection includes a keylogger, software that records everything you type and then sends it off to whomever has taken control of your computer. The intruder can then see your password as it’s typed. This is less common, but needs to be considered if no other explanation is found.
You type your password on a computer open for public use
Entering your NetID password on any unfamiliar computer puts you at risk. What assurance do you have that it is protected by good security practices? Public computers, such as are found in hotel lobbies or cafes, are particularly dangerous because it’s possible someone unscrupulous has installed malicious software to steal your personal information. If you must enter your NetID password on a computer that’s meant for public use, change it the next time you are on a trusted computer.