Re: stopping students sharing their login credentials

["Rizzo, Jim" <JRIZZO () PROVIDENCE EDU>]

It is also part of our AUP that no one share their account info.  If we find someone has caused large enough problems, 
they go to student affairs for punishment (that's not our job).
 
You could put a policy in place where you disable their account for a certain amount of time.  We actively "disable" 
the accounts of people who reply to phishing messages with their passwords (by disable in this case, I mean change 
their password so the phishers can't use the account) and then we explain what they did was bad when they come to have 
it reset.
 
Other than that, there's not much else you can do.
 
Jim
 
--
Jim Rizzo
Helpdesk Manager
Providence College
(401) 865-1277
jrizzo () providence edu
AIM: JRizzoPC
http://itweb.providence.edu/helpdesk
http://selfhelp.providence.edu

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Barry Lynam
Sent: Thu 1/22/2009 10:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] stopping students sharing their login credentials



Hi,

At QUT disclosing your password or obtaining someone else's password is
against the Information facilities (ie IT) rules.  Students and staff agree
to the rules every 60 when their password changes.  If a student breaks a
rule we (IT Security) have the power to interview and impose a penalty.  We
usually don't apply a penalty, just require them to come in for an interview
where we explain the breach and that we take them very seriously, don't do
it again.  We usually never see them again.  It's generally known that we
enforce the rules.

Until about 12-15 months ago we didn't do the interview's and impose
penalties, another area did them.  I don't think we should, I think that
someone in the student admin area should do that, but that is how it is for
now.

We have no technical barrier to stop this sort of activity, but have
considered implementing our sso to only allow logins from one source, but it
won't work the way we've implemented it.

Barry Lynam


On 23/01/09 12:25 PM, "Russell Fulton" <r.fulton () AUCKLAND AC NZ> wrote:

> Background:
>
> Earlier this week we had an incident where the building security
> officer noticed a group of unfamiliar people using machines in one of
> our labs.  She asked them for their ID cards and none could (would?)
> produce one.  On questioning they said they were students from a
> neighbouring institution and that they were using "borrowed" credential.
>
> We have cctv footage and swipe card logs from the door (which may show
> they tail gated someone in).   We are now tracking down which machines
> were being used so we can disable the accounts.
>
> To the point.
>
> We (the security techies) have been asked what measures we can deploy
> to prevent this sort of thing happening in future.
>
> We already do lots of education, posters, page on the back of the
> student handbook. Students have no excuse for not knowing that they
> should not share passwords.
>
> On the social/education side we could make an example of anyone we
> finger for this (assuming we can make charges stick) in the hope that
> this will persuade other students not to share their passwords.
>
> Technical solutions seem to revolve around some form of two factor
> authentication.  I.e. something the student has but which they will be
> reluctant to part with for any length of time.  Like their ID card.
>
> Our ID cards have bar codes and classic mag stripe.   Some labs (like
> this one) also have proximity card locks.  Generally only post grad
> students or students in special coursed (like medicine) have proximity
> cards.
>
> Anyway I would very much like to know what other are doing in this
> space.
>
> Cheers, Russell

--
Barry Lynam | Manager, IT Security | IT Services | QUT
Phone: +61 7 3138 9408 | Fax: +61 7 3138 2921
Postal: Level 12, 126 Margaret St | GPO Box 2434 | Brisbane QLD 4001 |
AUSTRALIA
Email: b.lynam () qut edu au | http://www.qut.edu.au/security/
CRICOS No 00213J