Premium Password Management for SJSU

Logo for LastPass

One of the driving goals of SJSU IT is to make San Jose State University the safest campus in the country. Our strategy for getting there is to make security easier. We use a layered approach to put extra barriers between attackers and your data. One of the simplest but most effective protections is good password management — having strong passwords unique to each site you use that you change regularly. But that can be a pain. With dozens or hundreds of accounts all over the web, it’s almost impossible for us to keep track of what passwords we’re using where and when we last changed them. A password manager simplifies that whole process for you, making everyday security easier.

I first let campus know about our plans to bring LastPass’ enterprise password management to everyone in our campus community at no cost back in October 2020. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc and more reliable than trying to remember everything. 

The SJSU IT Information Security Office will continue to keep you updated on when it’s ready for you.

I want to thank Ravi Pisupati, Michael Hastings, Nikhil Mistry, Tristan Orlino, Andy Trembley, Bruce Gardner, and Jason Ferguson for working on bringing LastPass to our community.

Best regards,
Bob Lim
Vice President of Information Technology
and CIO at San Jose State University

Simplifying Password Changes and Resets

An example of the password challenge screen.

SJSU IT will be simplifying the way you change and reset your password for your SJSUOne account. When these changes go live, you’ll be prompted to add a challenge question and answer to your account. Once completed, you will have the ability to reset your password directly through the login interface you’re already using. The new process is simpler and more user-friendly — you’ll be notified of your expiring password when you attempt to login and have the option to change it right away. 

While this is a small change for our university, it represents a double-win for our long-term technology strategy. This closes two small holes for attackers to exploit (adding a challenge question and allowing you to change your password right away without reminder emails or going to another site), getting us closer to our goal of becoming the most secure university in the nation. It also streamlines backend processes, increasing opportunities for automation and integration.

We’ll email our faculty, students, and staff with more details when we go live in March/April 2021.

I want to thank Maggie Panahi, Natasha Jones, Andy Trembley, Tristan Orlino, Jason Ferguson, Sharon Watkins, and Bruce Gardner, who have been working hard to get this ready.

Best regards,
Bob Lim
Vice President of Information Technology
and CIO at San Jose State University

Bringing Multi-Factor Authentication to Our Students

Last fall, we began encouraging students to sign up for Duo Multi-Factor Authentication (MFA). This semester, we’re making it mandatory. The rollout is happening in waves, with the last group’s final date set at April 9, 2021. 

Group First Semester of Enrollment Activation Date
Group 1 Summer 2019-Fall2020
(Last Name A-M)
February 26, 2021
Group 2 Summer 2019-Fall2020
(Last Name N-Z)
March 5, 2021
Group 3 Spring 2021 March 12, 2021
Group 4 Spring 2018-Spring 2019 March 19, 2021
Group 5 Fall 2017 & Earlier April 9, 2021

Our data shows that Duo works at SJSU. Over the last six months leading up to February 2021, Duo blocked access almost 100,000 times, which is 4.6% of all attempted logins during that time span. Recently, other campuses without MFA have been hit through unprotected student accounts. 

Protecting our student accounts with Duo is a major part of our strategy to be one of the most secure campuses in the country. Attackers have started playing the long game. They’re gaining access to students accounts, targeting people majoring in fields that are high income or who may have access to valuable research. Once they have passwords that work and access they can use, they wait five, ten, or more years to use that access to ransom user data or get into secure corporate systems. Duo for our students isn’t just about protecting them while they’re on campus, but protecting them when they’re alumni. 

There are lots of people in SJSU IT working on this rollout, but we couldn’t have done it without the support of Student Affairs, especially Robb Drury and Bonnie Sugiyama. I want to call out Maggie Panahi, Jason Ferguson, Sharon Watkins, Alfred Eclipse, Tristan Orlino, Andy Trembley, and James Anderson for their contributions. 

Best regards,
Bob Lim
Vice President of Information Technology
and CIO at San Jose State University

Cybersecurity Newsletter for Fall 2020

Dear SJSU Community,

With the transition to remote modalities, most of you are now learning, teaching, and working from home without the protections of SJSU’s fortified network. This coincides with an uptick in cybercriminal activity as malicious attackers look to prey upon our uncertainties and anxieties. We want to help by giving you the tools and resources to protect your digital life.

Security is very important for us. It’s one of our driving goals, as outlined in President Papazian’s Transformation 2030 strategic plan. We want to be the safest university in the country. And it’s even more important to us today as we look outside traditional answers to protect you off-campus.

Sophos
We’ve partnered with Sophos, our campus antivirus vendor, to secure Sophos Home Premium licenses for faculty, staff, and students. Sophos Home Premium is an industry-leading, AI-enabled antivirus tool with features like real-time antivirus monitoring, ransomware protection, privacy & identity protection, and more. Home Premium usually retails for $60, but you can use your @sjsu.edu email account to download and install it for free on up to 10 computers.

DOWNLOAD SOPHOS

Duo Multi-Factor Authentication
As of December 2019, all faculty and staff were required to have Duo Multi-Factor Authentication on their SJSU accounts. Adding an additional layer of security by requiring login confirmation from a mobile device has made their accounts much, much more secure. In April, we opened up this option for students who wanted to protect their accounts from malicious agents. Over the next year and a half, we’ll be gradually requiring students to enable Duo on their accounts. If you’re a student, we highly encourage you to sign up early and protect your account today. Plus, if you enroll in Duo, we’ll extend your password renewal timeline from 180 days to two years. You can learn more about Duo and how it works on our Duo for Students website.

GET DUO

LastPass
A strong password is the first line of defense for your account. We’ll be partnering with LastPass to provide premium password management software for all SJSU students, faculty, and staff. We all know that we should have different passwords for every account we have everywhere. Still, all those passwords can be hard to remember and continually coming up with new ones feels like an uphill battle. LastPass will suggest, store, and autofill extra-secure random combinations of numbers, letters, and symbols for all of your accounts. Because LastPass encrypts all of your passwords, it’s much more secure than keeping them on a notepad or Google Doc. We’ll follow up with you on where and how to add SJSU LastPass to your devices later this semester.

Constant Vigilance
The first, best, and most effective defense against malicious actors is always you. The SJSU IT Information Security team has resources, training, and help for you to become a more critical user. I encourage you to explore our website, sign up for a Zoom training, and try some of the available security tools.

SJSU IT INFOSEC WEBSITE

Thank You
I know that not everybody finds information security as exciting a topic as I do. So I want to thank our entire university, all the way from incoming frosh to President Papazian, for taking data safety so seriously. Together, we can make SJSU the safest campus in the country.

Regards,
Bob Lim
VP of Information Technology
and CIO at San Jose State University

Hien Huynh
Information Security Officer
SJSU IT

Premium Antivirus for SJSU

Logo for Sophos Antivirus

SJSU IT has partnered with Sophos to provide advanced antivirus and digital safeguards at no cost to you. Sophos Home Premium has all of the same excellent desktop protection features as the enterprise version we use on campus: AI threat detection, ransomware protection, privacy protection, and more. Thanks to our strategic partnership, Sophos is offering this free to SJSU at a cost of $800,000. 

Because so many folks in our campus community are learning, teaching, and working remotely, we have to change the way we think about security. In the old paradigm, SJSU’s fortified campus network protected students, faculty, and staff who worked and conducted research from machines entirely within our environment. While connecting to the campus network via VPN or DaaS is still the most secure choice, we need to give more options to protect you wherever you work. COVID may have accelerated how we approach security, but our goal to have a mobile campus has always meant we’d need to expand our definition of security. This partnership will bring the kind of enterprise-grade security we use on university machines to your home devices. 

Download Sophos Home Premium today with your SJSU email address.

Thanks go to Michael Hastings for getting this ready for SJSU.

Best regards,
Bob Lim
Vice President of Information Technology
and CIO at San Jose State University