By Gabrielle Liu – Editor-in-Chief

On Jan. 17, students, staff and faculty received an email that Bishop’s would be phasing out seven-character passwords with a new 12 or more character requirement. Why? In less than the time it took you to read that first sentence, a computer could have hacked your seven-character code. The Campus sat down with Scott Stoddard, manager of IT support services at Bishop’s, for a chat about the new password policy and cybersecurity today.

According to Stoddard, this is the first campus-wide password policy change in at least the last 15 years. Our lives are so much more online now since then. Our emails are highly targeted treasure troves as recovery backups for social media, shopping accounts and accounts with private information. For a business office or an institution, cybersecurity attacks can be incredibly costly. The rate at which hackers attack and the consequences involved have risen as all of our lives are online or in the digital world, he says. ITS’s ticketing system Octopus, where users can request ITS help, is indicative of this. Stoddard says that around 2008, when Octopus was first implemented, they received 1000 tickets a year. Now, they could receive 1000 tickets every week and a half.

The new 12-character passwords are meant to protect against brute force attacks, where a computer repeatedly enters passwords until it succeeds. A widely cited study by the security firm Hive Systems says it takes only four seconds for a brute force attack to crack a 7-character password (with lowercase, uppercase, a number and a special character). Stoddard notes that Bishop’s prevents these attacks from happening in the first place through account lock-outs and multi-factor authentication (MFA).

ITS recommends using a passphrase: a series of set words and numbers (e.g. rainbow-45-GREEN-sheep) that is easier to remember than a random jumble of characters. While discernable words may seem to be less secure, computers have no way of knowing the length of your password, explained Stoddard. Thus, they wouldn’t know where the word “rainbow” is placed in the possible expanse of your password. Thus a long, memorable passphrase is effectively very secure.

Bishop’s users will now have to use MFA only every 30 days instead of 14. “Security is always a balance between convenience and security”, says Stoddard. He recalls that while today, MFA is widely used across banks, financial institutions hesitated before implementing them. Their customer bases weren’t just tech-savvy teenagers, but elderly people. The security side of the spectrum seems to be gaining more in popularity these days, he says. Stoddard mentions that Bishop’s is working on adding geographical identity to the MFA process so students and faculty can see where exactly a login is taking place.

Students should use different passwords for every account, stresses Stoddard, despite human nature. Password managers like iCloud Keychain will help them auto-save and auto-fill these passwords. Stoddard says that in general, there is a need for more digital security literacy and Bishop’s could benefit by implementing some form of training. He notes that students are digitally enabled these days with their phones and apps, but there is a lack of sufficient knowledge when it comes to cybersecurity and digital privacy. Furthermore, the world of artificial intelligence is progressing rapidly, to a point where he says families are being taught to create a “safe word” to counter AI-generated voices posing as family members in phone call scams. Amidst scams, deep-fakes and powerful technology, Stoddard reminds that while there are a lot of people doing “bad” things with technology, there are also many who are using it for good.