it.ucsf.edu

Keep your accounts secure

Policy Type

Best Practice

Secure accounts help keep information secure and available

Overview

Usernames and passwords are used to:

  • Prevent unauthorized access
  • Uniquely identify which user requests access
  • Log what systems or information the user accesses

Each account represents a single person and what the account is used for is a reflection of the person to whom it belongs. Here are a few ways to secure your accounts.

Never share your password

If you share your password with someone, and that person intentionally or unintentionally causes a problem with the computer system using your login and password, you will be held accountable - not the other person.

Insist that everyone get their own accounts, use software that was designed for multiple users, or explore options such as group membership permissions or shared access controls.

In some situations, a password is shared among several users when it grants access to a shared resource. In these cases, your password should never be shared with anyone not known to have permission to the shared resource. If it is later determined that one or more persons no longer have access to the shared resource, the password must be changed and distributed only to the remaining users. If the need for a shared password is no longer necessary, then its use should be discontinued immediately and either the account removed or the password changed.

Never let others watch while you type your password

  • Can someone near you or behind you see you type your password?
  • Can someone outside your window discover your password with binoculars or a telescope?

Log out properly

When logging out of an account, don't walk away from the computer until you are sure that you have logged out completely. When using a shared computer, such as at a computer lab or cafe, close all browser windows - even if the system notified you that you are logged out - just in case the browser has been set to cache web pages. Try logging into your bank account, then log out, then select the browser's Back button once or twice. Can you see your account information?

Choose a good password

The password you choose can make it easy or hard for malicious attackers to gain access to your computer account or your password manager. Read more about how to choose good passwords here.

Change your password regularly and never reuse it

This significantly decrease the chances of brute force attacks succeeding. Unfortunately, not all UCSF systems enable you to change your password. Contact your department or your CSC if you have questions regarding passwords changes and what systems share authorization processes. Avoid using the same password for more than one account.

Don't use untrusted computers

Do you know who owns or maintains the computer you are using? Are you sure that the computer is free of spyware, monitoring programs, or devices used to record every keystroke?  Secure passwords and encryption are of no use if the computer is secretly recording everything you type. Before entering any account information into a computer, you should be reasonably sure it is secure and vulnerability free.  Be especially careful of internet cafes, shared access computers (like those found in a hotel lobby), computers that appear very slow, and computers with outdated software.

Store your password securely

Avoid writing passwords down on paper, which can be lost, forgotten, or stolen. Instead, use a password manager. Avoid storing passwords in electronic devices or documents that are unencrypted, and be aware of what password recovery tools can do.

The most secure way to store a password is to memorize the only copy of it.

Using a password manager means you have to remember only one master password which grants you access to all your other passwords. If your password manager file is lost, forgotten, or stolen, all your passwords still remain encrypted and protected.

Quick Links