[hcs-d] Important password security information

Jim Danz danz at fas.harvard.edu
Thu Dec 9 20:30:03 EST 2010


FYI, I amended the https:// bullet as follows for sending to Mather-open.
 Others can do as they please.  Thanks Jeremy for writing this up.


Hey Mather,

Every year at the CS 50 fair, hundreds of students demo their great new web
apps to the Harvard community.  While you should definitely try out as many
sites as possible, to be safe, you should:
- *Never* use an important password to register for any student's website.
 Always assume that any password you type might be seen by the site creator.
- *Never* give your FAS, @college, Gmail, Facebook or password to a
student's website unless you're at the familiar PIN authentication page or
logging in through the familiar Gmail or Facebook login pages.
- *Be wary* before logging in to any website when you don't see https:// in
the address bar.  If you don't see https://, your password may be being
transmitted in plaintext.
- Be aware that by logging into your Facebook or Google accounts at the fair
you are very vulnerable to Firesheep and account hijacking.

Enjoy the fair!
Jim

On Thu, Dec 9, 2010 at 8:23 PM, Jim Danz <danz at fas.harvard.edu> wrote:
> OK, that SGTM.
>
> On Thu, Dec 9, 2010 at 8:13 PM, Jeremy Cushman <jscushman at gmail.com>
wrote:
>> I support sending this out as concerned individuals.
>>
>> On Thu, Dec 9, 2010 at 8:09 PM, Jim Danz <danz at fas.harvard.edu> wrote:
>>>
>>> Wait, before this goes out, what is going to be the branding on this?
>>> Are we just supposed to send it off as if we're individuals with our
>>> opinions, or is this an official "HCS" warning?
>>>
>>> On Thu, Dec 9, 2010 at 8:05 PM, Jeremy Cushman <jscushman at gmail.com>
>>> wrote:
>>> > And actually, perhaps the third one (Never log in to any website when
>>> > you
>>> > don't see https:// in the address bar) is too strong; the important
part
>>> > is
>>> > that it's submitted to a page that uses https, but I wasn't sure quite
>>> > how
>>> > to explain that.
>>> > Jeremy
>>> >
>>> > On Thu, Dec 9, 2010 at 8:02 PM, Jeremy Cushman <jscushman at gmail.com>
>>> > wrote:
>>> >>
>>> >> Here's a password security PSA; it would be awesome if we could get
>>> >> this
>>> >> out to all the house/dorm lists tonight!  Obviously substitute in the
>>> >> house
>>> >> name and your name at the bottom :-)
>>> >> Feel free to tweak it around too if you'd like.
>>> >>
>>> >> Jeremy
>>> >> ------------------------------
>>> >> Hey [housename],
>>> >> Every year at the CS 50 fair, hundreds of students demo their great
new
>>> >> web apps to the Harvard community.  While you should definitely try
out
>>> >> as
>>> >> many sites as possible, to be safe, you should:
>>> >> - Never use an important password to register for any student's
>>> >> website.
>>> >>  Always assume that any password you type might be seen by the site
>>> >> creator.
>>> >> - Never give your FAS, @college, Gmail, Facebook or password to a
>>> >> student's website unless you're at the familiar PIN authentication
page
>>> >> or
>>> >> logging in through the familiar Gmail or Facebook login pages.
>>> >> - Never log in to any website when you don't see https:// in the
>>> >> address
>>> >> bar.
>>> >> - Be aware that by logging into your Facebook or Google accounts at
the
>>> >> fair you are very vulnerable to Firesheep and account hijacking.
>>> >> Enjoy the fair!
>>> >> [name]
>>> >
>>> > _______________________________________________
>>> > hcs-discuss mailing list
>>> > hcs-discuss at lists.hcs.harvard.edu
>>> > https://lists.hcs.harvard.edu/mailman/listinfo/hcs-discuss
>>> >
>>> >
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcs.harvard.edu/pipermail/hcs-discuss/attachments/20101209/828b1d38/attachment-0001.htm 


More information about the hcs-discuss mailing list