Monday, April 28, 2014

Time To Change Your Macalester Password

ITS recommends that all Macalester Students, Faculty, and Staff change their Macalester passwords. 

In response to Heartbleed, ITS has patched Macalester’s small number of vulnerabilities on central systems. We strongly encourage you to change your password to protect your data and the college’s data. To change your password, visit For help creating a strong secure password, visit ITS Password Guidelines.

Background on the Heartbleed flaw and OpenSSL
In recent weeks, researchers discovered a flaw in the security tool OpenSSL. This tool encrypts and protects Internet traffic and communications between devices. Most users would know this by the small, closed padlock and “https:” on Web browsers to signify that your Internet traffic is secure. The flaw, nicknamed Heartbleed, allows an attacker to capture usernames, passwords, and pretty much any other information.

Why this matters
OpenSSL is used everywhere: when you shop at Amazon, access your personal email, use your personal banking, or visit your social network, blogging and sharing sites. It can also be used to secure communications on personal mobile devices, such as smartphones and tablets, securing Web browsers, or securing Web apps you may have installed. The Heartbleed vulnerability in OpenSSL could allow a remote attacker to access data that is passed through it—such as usernames and passwords.

What ITS has been doing
Macalester ITS staff responded to this issue as soon as the bug became public. It quickly became apparent that Macalester was relatively safe from this vulnerability, for two reasons: 1) few of our servers use OpenSSL, and those that did were quickly fixed; and 2) a recently deployed firewall product at Macalester included protection against Heartbleed. ITS staff have updated protections against ‘Heartbleed’ on central systems.

What you should do
Change your Macalester password, using ITS’ self-service password tool at For help, please see our guidelines on creating a strong, secure password.

What about my other passwords?
Regarding your other personal passwords (e.g. banks, credit unions, insurance, etc.), we recommend that you change these if you have received notice confirming either that the vulnerability did not apply, or that the Websites have taken the proper measures and are secure.

If the sites and services that you use include alternate ways of confirming your identity, such as a cell phone number for text message (what is commonly referred to as '2-factor authentication'), consider adopting them.  This will mitigate an attack if your password is ever compromised.

Web browsers

 *You should exercise caution when visiting Web sites, as Heartbleed can affect Web browsers.  All major browsers have addressed the issue, but caution is always advised.

*You can test sites using the Heartbleed Test Site at

*You should always completely log out when finished with a Web site—or, if finished using the Web altogether, quit your browser.

No comments:

Post a Comment