Password Hygiene

Scam artists and criminals are always trying to steal UCSC accounts. They want access to your account for different reasons, including things like transferring money out of your bank account, sending SPAM from your e-mail account, or getting access to secure resources that they are not supposed to have access to, like the campus wireless network. It is your responsibility to practice "good hygiene" when it comes to using the Internet. Some things to keep in mind:

  • A UCSC employee will never ask you to send your password via e-mail, and a UCSC employee will never ask you to tell them your password verbally. You should never divulge your password verbally to anyone, and you should never write your password down.
  • When visiting a web site that asks for your password, you should ensure that you are actually connected to a secure UCSC web site before entering your login name or password. You can use the guide below to determine if the web site you are looking at is authentic.
  • If you use a "password safe" application, make sure the database is encrypted using a strong password or passphrase.
  • You should never open attachments in your e-mail unless you are expecting the attachment. Even if the attachment comes from someone you know, if you are not expecting the attachment do not open it. Often times when someone gets a virus, the virus will e-mail itself to everyone in the afffected person's address book, and those e-mails will appear to come from the user who has been infected.
  • Make sure your antivirus software is always running and up-to-date, and always be sure to keep your operating system patches up-to-date, especially Windows Updates.
  • You should use different passwords for your UCSC accounts than you use for non-UCSC accounts, especially for banking and other money-related services.

Recognizing a Secure UCSC Web Site

You can tell if you're looking at a secure UCSC web site by looking in your web browser's address bar. Secure UCSC web addresses will always start with https:// and contain ucsc.edu/. Some examples of secure UCSC web addresses are:

  • https://itrequest.ucsc.edu/cgi-bin/WebObjects/itrequest.woa
  • https://vpn.soe.ucsc.edu/
  • https://www.soe.ucsc.edu/home

Please note that some UCSC services are provided by external vendors, such as Google. These services may use your UCSC password, which does confuse matters considerably. It is a good idea to ask an ITS employee about logging in to a UCSC service that is hosted by a vendor before you log in the first time to make sure that the vendor is legitimate.

The key elements to look for are:

  • The address must start with https://. If you see http:// or anything else, it is most likely not a secure web site.
  • The address must contain ucsc.edu/. There should be no additional characters between the edu and the / character. If there are extra characters there, the site you are looking at is probably inauthentic and insecure.
  • There should be no special characters or punctuation between the https:// and the ucsc.edu/ parts of the address. Be especially wary of addresses that have the @ character in them, as these are especially troublesome.
  • Your web browser should not present any warning or error messages about invalid SSL certificates. If you get such a warning or error, the site you are visiting is most likely fraudulent.

Some examples of invalid web address that you should NOT enter your password on are:

  • https://secure.ucsc.edu@securesite.com/
    Why: This web URL contains an @ character, which is included to confuse you into thinking you are logging in to a UCSC web site when you are really logging in to a site called "securesite.com".
  • https://ucscsecurewebsite.com/
    Why: This web URL links to a non-UCSC web site, even though the letters "ucsc" appear in the domain name. UCSC only uses the ucsc.edu domain name for its secure web sites.
  • https://ucsc.edu.secure.something.com/
    Why: This web URL links to something.com and is not affiliated with UCSC, even though it contains UCSC in the URL.
  • https://secure.mysite.com/ucsc.edu/
    Why: This web URL links to the secure.mysite.com web server, which contains a folder called "ucsc.edu".

Keeping Your Web Browser Secure

Almost all web browsers use plug-ins to provide features that are not part of the core web. Plug-ins, such as Flash and Acrobat, often have security vulnerabilities that need to be fixed periodically.

If you use Firefox, you can perform a plug-in update check to make sure that you have the most current version of your plug-ins. If you use Internet Explorer, you should visit the Microsoft Windows Updates page regularly. Users of other web browsers should check with the software vendor for information about how to check for updates.

For More Information

If you have any questions, please visit the BSOE help desk in Baskin Engineering, Room 314. You can also open an support ticket by e-mailing help@soe.ucsc.edu.