Passwords
- Ensure your password is difficult to guess by both a computer and a human. 11IwtKoS is an example of a moderately good password. While not the strongest since it's fairly short and has no special characters ($#@! and the like), it looks like a random string of letters and numbers but can be easily remembered: 'ones I was the King of Spain.' Your dog's or significant other's name is a terrible password, as anyone who has the information can guess it. This site has an amusing take on password strengths
- Make use of password wallet utilities such as:
- Apple's Keychain (Apple macOS/iOS : cron's recommendation)
- LastPass (free to MIT community)
- 1Password
Of these, we recommend that Macintosh/iOS device users stick with Apple's Keychain which couples random password generation and syncing across all Apple devices. Further, the Keychain remains fully encrypted such that only you have access to its contents; Apple does not. For others, LastPass is free and fully supported by IS&T so a good option. 1Password is like LastPass and as popular, but requires payment and is not directly supported by IS&T. The greatest advantage of these products is that they enforce good password policies, specifically: random password generation; unique password usage; an easy means of managing/using these random, unique passwords so that you needn't ever remember them
- Do not share your password with anyone, not even cron. We don't need it (nor do we want it), and neither does anyone else
- You will occasionally get emails claiming to be from IS&T, MIT Webmaster, or the like asking for your username and password. These are always scams. No one legitimate will ever ask for your password over email. Similarly, never click on a link in an email unless you're positive you trust the person from whom it came. If in doubt, forward the email to cron for guidance
- Multiple Users: If you have multiple people using your computer, create a separate account for each user. Do not share accounts (and preferably, do not share passwords across accounts). You may care to set these additional accounts to non-administrator status so that you retain full control over your computer
DUO : Two-factor Authentication
In many cases, and certainly those involving internet-based accounts, two-factor authentication is not only recommended but required. MIT enforces two-factor authentication for most of its services through DUO.
Normally services are protected by something you know, usually a secret like a password or certificate. Two-factor authentication adds one more level of protection by ensuring that the person accessing the resource knows not only the password, but has something on his person belonging to him, usually an iPhone, landline, YubiKey or the like.
All MIT users should register for DUO here: duo.mit.edu. More information can be found here.
Hard Disk Encryption
Whole disk encryption ensures no one has access to your files if the device is stolen (and if they cannot guess your password). Without disk encryption, it is trivial for someone to gain access to all your files even without knowing your password. Further, hard disk encryption on the Macintosh allows one to remote-wipe the entire contents of the drive just as one can with Find My Phone.
We recommend you enable FileVault on your Macintosh. eCryptfs, included in most Linux distributions, can encrypt individual home directories on Linux. For Windows, we recommend Windows' built-in BitLocker (requires Windows Enterprise or Ultimate; not available under Boot Camp)
Firewall
Firewalls protect your computer from attempts to connect remotely. Think of your computer as a house with many doors. The firewall closes and locks the doors you don't use so that no one can sneak in through them and leaves the rest available for people with keys.
- Macintosh and Windows machines have firewalls built in, accessible from the System Preferences on a Macintosh and from Control Panels under Windows
- For Linux, we recommend either UFW or Firestarter: help.ubuntu.com/community/Firewall. Both are free and easy to use
VPN : Virtual Private Network
MIT’s VPN service joins your computer, wherever it may be, to the MIT network. It does so in encrypted fashion ensuring a secure internet connection. Some services at MIT (e.g. the Libraries, ArcGIS, etc.) require a VPN connection.
The MIT VPN software named Global Protect can be downloaded/configured from here.
Cloud Storage
Though cloud storage services such as Dropbox, OneDrive and so forth are generally secure in the sense that files are encrypted in transit and at rest, many providers fail to provide any meaningful assurance of privacy. See Cloud Storage for details.
Malware
- All operating systems these days have automated update systems. Use them as they provide, inter alia, certificate revocation capabilities which can keep some compromised applications form running
- If you're running Windows, we recommend Sophos as we believe it better than McAfee or the default Windows anti-virus
- A trojan is a form of virus that relies on tricking you into installing it. There is no operating system that is completely secure from this form of attack as long as the user is careless. On Windows, be careful when clicking on links to sites with which you aren't familiar. On Macintosh or Linux computers, don't enter your administrative password unless you're aware of the reason it's asking. On all operating systems, make sure you're up to date with all of the security updates for both the OS and whichever web browser you're using
Mobile Devices
- Smartphones and tablets are very handy, but are also easily lost or stolen. By keeping the software secure, you prevent your emails and other personal data from being lost or stolen even if the device itself is
- Practically all mobile devices have an optional passcode lock. A passcode set on an iPhone/iPad will encrypt all content on the device. The iPhone can even be set to erase itself if the passcode is entered incorrectly 10 times in a row
- Most devices have a remote wipe capability. If the device is on, you can connect to it through a website or computer application and erase its entire contents
- When at MIT, connect to the MIT Secure wifi network instead of MIT
- For in-depth instructions on securing your mobile device, see: here that covers most popular devices
Physical Security
- Lockdowns can be purchased at almost anywhere you can get computer equipment
- Locked doors provide security only as far as the key or combination travels. The studios and computing clusters are extremely low security, are heavily targeted by thieves. We have laptops stolen every year. Do not, under any circumstances, leave your laptop unattended in a studio or cluster for even a couple of minutes
- If you have a private office, lock down and hide any portable equipment you leave overnight in file cabinets
Recovering Stolen Hardware
- STOP tag registrations are offered approximately once per month by MIT Campus Police. While primarily a deterrent, this particular system has a good record of equipment recovery. Be aware that it doesn't protect against data theft if a computer is stolen
- Apple's iCloud features a Find My Mac program, which runs silently in the background and can be used to locate a stolen MacBook, iPhone, or iPad. You can also remote lock and remote wipe the device if lost. If you've just misplaced your iPhone, you can cause it to make noises until you finally locate it behind the sofa, even if it's on vibrate mode