For the second time since March, Mississippi State University has increased its security measures for student and staff accounts.
On October 30, MSU began slowly rolling out a new policy that mandates that all new MSU NetPasswords, which are used to log in to applications like Canvas and MyState, must be a minimum of 16 characters.
Thomas Ritter, MSU’s chief information security officer, explained that the decision to increase password length was influenced by measures he saw that other universities were taking.
“I haven’t gone off and done a big survey, but I’m aware of plenty of schools that have longer password requirements than eight characters,” Ritter said.
Ritter explained that hackers posing as reputable sources to gain information, also known as phishing, is one of the most common online threats to students.
Ritter said hackers often target college students by posing as job recruiters. These “job recruiters” get students to provide personal information through fake job applications and online conversations. They then use this information to commit identity theft.
“The story I have heard numerous times from students is jobs,” said Ritter. “They are looking for jobs or a business position. It pays wonderfully, $400 a week, only a few hours of work. Next thing you know, the deal is just too good to be true, and it is too good to be true.”
However, Ritter said phishing is not the only cybersecurity threat plaguing MSU.
“We essentially are under constant attack at MSU in a variety of different ways,” Ritter said. “They are trying to find vulnerabilities on our servers. They are connecting to services like our VPN and trying to brute-force passwords. The concern that you get into is that passwords that are only eight characters long are trivially easy to crack.”
Earlier this year, MSU increased security measures by requiring MSU students and faculty to enter a code on the Duo Mobile two-factor authentication app. Previously, MSU personnel only had to approve a push notification from the Duo Mobile app.
The change in the Duo Mobile requirements has sparked mixed reactions from students on campus. Mariah Mack, a junior biological science major, complained the change is inconvenient and makes it harder to log in.
“I get the point of it, but the two-factor authentication is kind of a hassle,” Mack said. “I preferred before when it was just a notification. Before, I could just use my Apple watch to verify login, but now it is a code you have to type in from the app, which I find obnoxious.”
Elisabeth Reaux, a senior animal and dairy science major, feels that having to keep her phone with her because of Duo Mobile is inconvenient.
“I always have to make sure that I have my phone on me,” Reaux said. “And if it is in another room when I go to log in, I have to go and get it, which bothers me.”
However, Reaux said she understands the need for stronger security and two-factor authentification.
“Before, if somebody got your login, they could just log in, but now Duo Mobile notifies you if someone is trying to log in,” Reaux said. “So, if you accidentally left your password saved on a computer at school, nobody can log in because of Duo Mobile.”
Mack and Reaux also commented that they found the new 16-character password requirement to be excessive.
Despite concerns, Ritter defended the need for longer passwords, stating it is backed by statistics from the Federal Bureau of Investigation.
“If you look at what the national standards say — what the federal government recommends, what the FBI recommends — they all recommend a long password,” Ritter said.