This document is intended to provide guidance on how members of the UMBC community should properly adhere to the UMBC Policy on Credential Management, Authentication, and Authorization. This document provides recommendations and practices for protecting your myUMBC credentials.
Protecting your account is the single most important individual responsibility that contributes to protecting both your privacy and security, as well as our communities privacy and security. If someone has access to your myUMBC credentials and can login, they automatically have access to your information and any information that you might be authorized to access. For that reason, we encourage everyone to follow these guidelines.
Steps That You Should Take to Secure Your Account
Be Safe Online, Watch Out For Social Engineering Attacks
Social Engineering is where an adversary uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Phishing is a form of ‘social engineering’ in which cybercriminals ‘go fishing’ for victims by sending emails, seemingly from trusted parties, with promises, opportunities or threats the attackers hope the victims will fall for. Adversaries desire personal information, such as your bank account, SSN or login credentials, so that they can gain further access to your account and information, or that of others, including the University’s networks and systems.
UMBC’s Gmail does a good job of identifying phishing emails, but some get through, especially if the email is coming from a myUMBC account that was compromised and is sending out phishing emails to try and compromise more accounts. To be safe, do the following:
- Be skeptical and thoroughly read an email asking you to do something. If you are concerned about its legitimacy, forward the email to email@example.com, and DoIT will check it out for you (note you may have a day delay).
- Visit the itsecurity.umbc.edu website and learn how to spot phishing emails. This information will help you at UMBC and at home.
- Check any URL you receive via email or direct message by moving or hovering your mouse over the link, but do not click the link. In the lower left corner of the web browser you will see the actual web site address that you will be taken to if you click the link. If this is not something associated with umbc.edu or something you know to be legitimate, be highly suspicious.
Create a Strong and Unique Password for Your myUMBC Account
There are a few major challenges with passwords. One is that people are not good at memorizing long strings of random alphanumeric characters. The second is that we all have so many accounts in our life that we can’t possibly remember which password goes with which account. At UMBC, we have tried our best to limit you to one account and one password for all our services. As such, we ask that you do the following:
Do not use your myUMBC password with any other account.
- Use a mixture of upper and lower case characters, digits, and punctuation in your password.
- UMBC is required to have a minimum password length; however, a longer password is more difficult to break. We recommend that you combine two separate facts to make a long password you can remember. Having a sixteen or twenty character password is allowed. Two facts could be the name of a friend and the address of a relative or the name of your favorite band and birthdate of a close friend or relative (e.g. Beatles-01/02/1966).
- All faculty, staff, and students are enrolled in the DUO multi-factor solution we provide. A best practice is always to have multiple devices or mechanisms available within DUO, but the push notification is the most secure and safest method. Multi-factor authentication greatly reduces the risk of someone compromising your login credentials by using the combination of your password and your phone or mobile device, which verifies your identity as the additional factor. Unfortunately, UMBC is not licensed to support Alumni using Duo. For Alumni, following the guidelines above to create a strong password is even more important.
Periodically Change Your Password
With the adoption of the DUO multi-factor solution, we can safely extend the time we allow you to keep your password before we require a mandatory change. While most people may not realize this, UMBC sees regular attacks on credentials where outside groups try to log into myUMBC credentials. Usually this occurs when 3rd party services are compromised and your myUMBC email was used as the email address associated with the 3rd party services. UMBC tracks when login failures occur and we will identify accounts that should have their passwords changed. Please remember that UMBC is required to not allow people to reuse a prior myUMBC password, thus you are not allowed to reuse a former password.
Please remember that when you do change your password it is likely that you will need to change the password on your phone if you use a phone-based app for your email or calendar. These services require you to enter your password into the app and don’t change automatically. If you forgot how to change these, please contact the DoIT Technology Support Center (TSC) at 410-455-3838, or visit the frequently asked questions (FAQ) on this topic. Another area that will require you to update your password is if you use UMBC’s EDUROAM wifi service; help can be found by calling the TSC or visiting the FAQ for eduroam.
What To Do If You Forget Your Password
We encourage everyone to set up their account recovery options, this is done through your myUMBC profile, by selecting the option Security. If you provide a mobile phone number and give permission to send SMS messages, we can use that to send a new password IF you know the answer to your security questions. We encourage everyone to review your security questions and answers each year, you can do this by selecting Edit your Security Settings. For more information, consult the FAQ on this topic.
If you are at the Bronze or Silver level of Trust, as shown on your myUMBC Profile for Security, if you forget your password and you know your security questions, you may click “Forgot Password?” when trying to login through myUMBC. You will be asked your security questions, if they are correct, you will be emailed a link to reset your password that will go to your alternate email address not associated with UMBC that you provided when you got your myUMBC account.
If you don’t remember your security questions or can’t access the secondary email account you provided when you got your myUMBC account, then you will need to interact with a person, you should call the Technology Support Center (TSC) at 410-455-3838. There are a small number of users that have higher security classification, labeled GOLD, these individuals have additional protections.
Use Duo Multi-Factor Security
Duo Multi-factor security is the leading multi-factor solution for higher education. The product was an early collaboration of higher education working with a start-up to develop products that would benefit higher education. UMBC has been using Duo since 2015 for at least some users. As of Fall 2023, all students and employees will be required to use Duo to protect their account.
When you are required to use Duo with a device, such as a laptop or phone, it uses what is called a web cookie to note that particular device successfully connected using Duo. If you have the “Remember Me” box enabled, this allows you to authenticate without using Duo for a predetermined amount of time based on your Level of Assurance. Some external services operated by NIH limit the remember-me time to twelve hours; if you access a site that has a lower value than you presently have, you will be asked if you want to move to the lower value. If you don’t do that, you won’t be allowed to use your myUMBC credential to access the service. UMBC defines the maximum value by individual or Level of Assurance, which you can check in your myUMBC Profile by selecting the Security item. For additional information about Duo please see the UMBC help page: https://wiki.umbc.edu/display/faq/Multi-Factor+Authentication+with+DUO.
The original text of this document can be found here: https://docs.google.com/document/d/16j1U1RN02h1fv46pSgijXbByyxKqSdHkO5vbRqK-Wv0/edit