On Sept. 27, the announcement of a partnership between the Cowan-Blakley Memorial Library and The Dallas Morning News (DMN) to provide students accounts for the DMN was emailed to the student body. Shortly following was an email that gave instructions for accessing one’s account, complete with one’s username and password.
The particular pattern of the password was a simple combination of the account owner’s name, followed by the very secure and non-generic “Pass1!” It may have caught the eye of a few Computer Science majors, who frequently deal with simple string constructions.
I was one of those Computer Science majors.
On a hunch, I got permission from a friend, who had yet to access their account, to guess their password. I succeeded on my first attempt and in a short time, had repeated the “hack” on a few other volunteers.
In short, I learned that accessing someone’s account only requires their name and University of Dallas (UD) email address, which is usually easily derived from their name.
The Dallas Morning News had aptly created the accounts without any user information, even the name of the account owner, so there was little danger of data being “hacked” or lost by such flimsy password standards. However, it would allow someone to post comments or otherwise interact with the DMN website under this false identity.
The full implications of this are currently untestable as the DMN website is presently “revamping” their comment system.
Anecdotally, some people have unsubscribed, using tools like Gmail’s unsubscribe feature in their inbox. Others have set up email filters to delete or archive the emails automatically. In both cases, some have not signed in to change their password, leaving open the possibility for malicious actors to use their identity freely on the DMN website.
This follows a disturbing pattern of flimsy passwords and access systems at the University of Dallas. UD is not exceptional in this, either in education or online systems generally.
However, we can do better.
On the institutional side, encouraging and forcing students to change their passwords after their first login on the myriad of services and sites that form the digital ecosystem of UD would be a good start.
After working at the help desk of the IT department for over a year, the lack of investment in cybersecurity is evident to me. Many of the services that maintain the system use the “Freemium” models, which use advertising to provide inferior versions of services for free.
This often results in limited accounts and fewer features that negatively impact the IT department’s functionality, despite valiant efforts from Professor Sabyasachi Sanyal and his team to cobble together a functional experience for UD students.
The myriad of services such as BannerWeb, Cashnet, The Forum (most recently), PaperCut (the print kiosk system) and others present a problem. They are often assigned the generic credentials of a UD email, or “username,” consisting of the first part of the email, and a student ID number in an attempt to smooth over the experience for students. This often results in situations such as the previously described DMN password, albeit with much more sensitive information at risk.
Students often misunderstand or forget the correct combination of their information to log in and will email or call the IT department, where the student worker in charge of responding has been directed to reset the account to its original credentials.
It is the industry standard to encourage resetting the password immediately if not already enforced.
This is not done currently at UD.
On the student side of this issue, a student body of independent thinkers should be responsible enough to think that reusing the same password for every account is merely lazy. Keeping track of passwords is a small and easy price to pay for the efficiency offered by technology.
A practical solution for students is a password manager. Easy to use and often free, these services remember passwords and sign in to online accounts automatically, all while offering state of the art security. A simple web search will render the most popular of these services.
Both UD and the student body should invest in developing a safer digital ecosystem.
As more and more facets of our lives include digital aspects, the costs of poor digital health will increase proportionally.