Password Policy
Background
This policy describes the requirements and rules for the structure and use of passwords for authentication to the systems of the Hebrew University. The purpose of this policy is to protect the university's resources and information and to prevent unauthorized access to the organization's information and systems.
Scope
This policy applies to all users of the university's information systems, including students, academic and administrative staff, and external partners.
Policy
Password Structure for Authentication to University Systems (General Requirements)
- Unique password for each system (except for systems with single sign-on).
- Do not recycle passwords from non-university services and systems.
- Use multi-factor authentication whenever possible.
- If multi-factor authentication or SMS authentication is not used, the password must be changed at least every six months.
- The password must be at least 8 characters long.
- The password must contain at least three types of characters from the following list:
- Lowercase English letters (a-z)
- Uppercase English letters (A-Z)
- Digits (0-9)
- Special characters (@, !, $, % etc.)
- The password must not contain the username, first name, or last name.
- Do not use a password that has been previously used in the system.
- After several failed login attempts, access will be blocked for a defined period (between 15 minutes and 1 hour).
- Do not share your password with others.
- It is recommended to use a passphrase.
- It is recommended to use a password manager.
Removable Media Policy
Background
The use of removable media (disk-on-key, external hard drive) is common and accepted in the university despite many drawbacks. The recommended way to store organizational information is the employee's personal home folder.
However, sometimes there is no alternative but to use removable media for organizational purposes as well. To prevent leakage of organizational information in case of loss/theft of the drive, encryption must be performed.
Policy
- The use of removable media that was not issued by the university for the transfer of organizational information should be minimized as much as possible, due to the risk of transferring malicious software from non-university computers.
- To prevent leakage of organizational information to malicious parties, the removable media must be encrypted before use.
- Encryption will be performed using the means relevant to the operating system used by the employee.
- The password will be unique for each removable media.
- The password will be at least 12 characters long and will be composed of lowercase, uppercase, numbers, and special characters.
Security Updates
Regular updating of Microsoft Windows and other software such as browsers Office products is a critical factor in protecting your computer against hacking. Make sure the system updates automatically.
MIcrosoft provides two sets of updates for a Windows 10 computer. The first set of updates are security updates and are ususally distributed once a month. The second type of updates are called feature updates. These are usually distributed once every six months. Security updates are only delivered to computers that have received one of the last three availabe feature update.
Firewall
Windows systems 7 or higher have a built-in firewall program. In general this program is activated by default. To ensure that your firewall is activated look at the instructions below:
Safe Internet Browsing
- Avoid as much as possible downloading free software from the network. There are free software that contain bots and spyware content.
- Do not click buttons or links in pop-up windows even if the window looks like a Windows error message. Pop-ups, Trojan horses, viruses, and spyware can take over your computer.
- Be very suspicious when it comes to providing personal information and e-mail addresses on Web sites, make sure that the site is valid and secure (SSL), and make sure the SSL certificate is not fake or self-made.
- Avoid adding plug-ins to your browser as much as possible.
- Do not install any other browser add-ons, such as icons, buttons, easy access to search engines, or any module that changes the original form of the browser.
Anti-spam
What is spam and who are spammers?
Spam is a problem for anyone who gets mail. The word "spam", in the context of e-mail, means mail that has not been given consent to be sent by the recipient. In addition, mail is sent as part of a collection of messages that all have the same content. Mail is considered spam if it is sent without the recipient's consent and as part of a large collection of messages. If you've sent or received an e-mail message, you'll probably also receive spam known as spam. Spam is a profitable business for its senders: it is cheap to send messages in millions or billions of messages, even if a small percentage of recipients will buy something in response to a message.
How do they get my address?
Through newsgroups and chat rooms, mainly through large sites. There are millions of websites that contain e-mail addresses. These pages are scanned by the spammers.
Through sites that are specifically designed to collect e-mail addresses by encouraging users to register to the site and by doing so the data on them are collected. The most common source of e-mail addresses is the search for "dictionaries" of mail servers of e-mail storage companies.
The University's Spam Filter
The university uses a server-level anti-spam filter, which eliminates the need to install and update anti-spam software on any computer. If you did not receive mail that you expected, it may be on the Quarantine list. We keep suspicious messages in the "quarantine" for one week. If you have not received the expected mail, please send mail to infosec@savion.huji.ac.il.
Filtered outgoing messages
The university also checks for spam in outgoing mail. Here are some tips on how your mail will not be considered spam:
- Do not send the message to many recipients. The number of recipients must be limited to 200.
- If you send the message via Webmail, you will not be able to send the message from an address other than @ ... huji.ac.il
- When working with a web interface, you must disconnect by clicking the Disconnect button or link before closing the browser
- Do not use many colors and decorations in the message.
- The clock on your computer should be synchronized to the correct time. Messages sent from out of sync computers are considered suspicious
- If you have trouble adjusting the clock to daylight saving time, see: Setting daylight savings time
Antivirus
Any mail that arrives at the university mail is scanned for viruses. When a virus is detected, the attachment is thrown and the rest of the message is sent to the recipient with a new attachment that contains a message from the antivirus of the university gateway. File extensions: Files that are attached to the mail and have the following extensions: .exe, .rar, .pif, .vbs, .scr, .cmd, .bat are blocked by most e-mail programs. If you still want to send mail with a file with one of the above suffixes, perform a zip operation first and only then send the mail.
Phishing
Phishing is a deception attempt that is designed to steal your personal information. In phishing scams, predators try to obtain personal information, such as credit card numbers, passwords, account details, and other details, by misleading customers to fill their personal details with fake emails. Phishing scams can be obtained online via spam messages or pop-up windows.
Notice the following example - it is real, and it was sent to university researchers. In this example, we try to "catch" the user's passwords by sending an e-mail on behalf of the faculty’s computer unit:
From: administrator@agri.huji.ac.il mailto: administrator@agri.huji.ac.il]
Sent: Tuesday, June 07, 2005 12:52 AM
Subject: Security measures
Dear Valued Member,
According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. http://www.agri.huji.ac.il/confirm.php?email=tripler@agri.huji.ac.il
Thank you for your attention to this question. We apologize for any inconvenience.
Sincerely, Agri Security Department Assistant.
Safety Rules:
- Do not give any personal information. If a suspicious email arrives in your mailbox please forward the message as an attachment to infosec@savion.huji.ac.il,
- You should update your browser. If you enter a link from a suspicious email, the browser can alert you of dangerous sites, thereby preventing your entry.