Attempts WILL be made to get personal information from you!

Don't fall for them!! 

In order to assure you that messages are really from UMD system administrators - particularly those regarding passwords, follow these guidelines regarding these messages:

• Messages should NEVER refer to you in generic terms such as "user" or "customer."
• Messages should not include active Web links (you should never click a link in an unsolicited e-mail message). Legitimate messages will always refer you to a legitimate website that you recognize and can type into the web browser yourself such as the OIT Password Web site at password.umd.edu.
• OIT Messages will include a PGP signature which can be validated with appropriate software. A copy of the public key is available on this Web site.

Here are some web sites that have further information on e-mail phishing scams:

• Computerworld article on phishing
• US government's OnGuard Online website
• Snopes.com - Urban Legends web site

Smith Notes mail is protected to a large extent by Postini, our spam blocker.  BUT no spam blocker can stop everything. Be diligent in protecting yourself.

Why do I need a strong password?

How long do you think it will take to crack your password? You might be surprised.

A hacker can crack a password that’s 7 characters long with upper and lower case letters in only 3 hours with a simple cluster of ordinary computers. But change some of those 7 letters to numbers and a special character (@#$%&*) and you increase the time it takes to 8 1/2 days. Increase that password to 8 in length and the time it takes to crack that password jumps to more than 2 years! Hardly seems worth the effort.

Check this website for a chart showing how different password combinations stack up.
http://www.lockdown.co.uk/?pg=combi&s=articles
(NOTE: The systems they describe as Class "D" are just like the desktops in our offices, and what they call Class "E" is a cluster of ordinary computers - EASY for any hacker to throw together.)

Here is another reference regarding the importance of password strength.

Password Quality Checks

A password cannot provide protection if it can be guessed by unauthorized visitors. Potential attackers can also attempt to utilize every possible combination of characters in order to break a password. Password composition rules are chosen to ensure that the number of possible character combinations is large enough that such an attack cannot be accomplished in a reasonable period of time.

For Directory passwords, the following quality rules are applied:

• A password must be at least 8 and no more than 32 characters in length (users of the CorporateTime/Oracle calendaring system should currently limit their password to 15 characters).
• A password must contain at least one uppercase letter.
• A password must contain at least one lowercase letter.
• A password must contain at least one character from the set of digits or punctuation characters (such as # @ $ & among others).
• You may not reuse a password you have already used.

Additionally, your password choice will be submitted to a program that determines if your selection is likely to be identified by computer programs that guess passwords based upon dictionary searches. This includes making simple substitutions of digits or punctuation that resemble alphabetic characters (such as replacing the letter S in a common word with the $ symbol).

Beginning in December, another state mandated security feature will be incorporated to defend against automated programs that attempt to guess Directory passwords. If someone incorrectly guesses your password six consecutive times, authentication of your Directory password will be blocked for the next ten minutes.

Selecting Good Passwords

The password quality checks establish a minimally acceptable level of password quality. Increasing the length of your password beyond eight characters markedly increases the security of that password. No matter how complex your chosen password might be, it will not be a secure password if you write that password on a post-it note and keep that note where it might be discovered (the underside of the keyboard is not a secure location).

Take advantage of the fact that the space character is a valid choice (although not for the first or last character of the password) and create phrases or sentences. A sentence with punctuation and one or two deliberate typographic errors will be far easier to remember than eight random characters and (for many people) will be easier for you to type whenever you need to authenticate.

For additional tips on selecting good passwords, please see the Password Recommendations page from the OIT Help Desk.

SPAM filtering tool for RHSmith Notes accounts

• What is Postini?
• Your Message Center - Logging in
• Fine tune your filter strength
• What about spam that gets through?

What is Postini?

As you may have heard in the news recently, as much as 9 out of every ten emails sent nowadays are spam messages and levels are up 12% year on year from Q1 2009. (http://www.pcmag.com/article2/0,2817,2362638,00.asp).

Postini is a SPAM filtering service that is provided with your Smith email account. If you have a Smith Lotus Notes account, your Postini account has already been set up for you with default settings to begin filtering spam and viruses. You do not need to do anything to begin using this service. However, it is a flexible product that puts the user in control of spam and viruses. It is up to you to decide how lenient or aggressive the filters are and/or which addresses to allow through.