"Don't share your passwords with anybody". You hear this from a lot of people at SU: Human Resources, ITS, DSP's, Audit and Management Advisory Services. It is also stated in the "Computing and Electronic Communications Policy". You may have even read this warning on the Internet or heard it on TV. What the heck is the big deal with sharing your passwords with somebody? Someone may need to access one of your files while you are on vacation, right? You have a job to do but your system access does not give you the proper authority to complete it, so you use someone else's. What harm could it do?

The whole idea of using a password to access a computer system is to identify you, uniquely, to the system. It is a means to authenticate you to the system as an approved user, and to keep unauthorized people from gaining access to the system and it's data. The University has documented processes for requesting and approving access to various computer systems and data. This is especially true for the administrative computer systems that can contain sensitive or confidential information. This type of data should only be available to selected and approved individuals. Access to sensitive University information by unauthorized persons could be embarrassing to the University at a minimum and subject the University to legal redress at worst. For these types of systems, the user's IDs are logged for the purpose of providing an audit trail of all transactions that are performed by each user.

Most computer systems log user activity by the user ID that was used to sign on. There are a number of reasons for logging users' activity on computer systems. It provides a means to research transactions in the event of a problem with a transaction, it can provide information in the event of a computer failure where information has to be reconstructed, and it can protect you in the event inappropriate transactions were processed on a system. The logs can show that your user ID did not process an inappropriate transaction or change system data; it can protect you from liability. If someone logs on to a system with your user ID and password, everything they do on the system will be identified as you, whether it was you or not. Alternately, if you use someone else's ID, everything you do will be attributed to them. Therefore, the user ID establishes accountability for the actions taken on the system.

In today's world, access from many of the University's computers allows access to email accounts and the Internet. Someone logging on to a computer using your user ID and password could send emails of a threatening nature, send spam, perform illegal downloads, or download viruses or spyware. Again, this will be attributed to you.

As you can see, the security of passwords is important. So protect yourself and don't share your password. You have been given access to computer systems and information that are necessary for you to perform your job or to accomplish your work here at Syracuse University. If you don't have the proper access you feel is necessary, go through the proper channels for requesting access, don't use someone else's password. If someone needs access to something of yours while you are away, sharing your password is not the proper way to handle it. If someone asks you for your password, don't give it to him or her. Also remember, the staff of ITS should never ask you for your password. If you suspect someone is using your password, change it immediately and report it to ITS. Don't use generic passwords where many people log in to a system with the same password. Accountability is lost using a shared password and you may be placing yourself in a position to be held responsible for something you did not do. If you are placed in any of these situations, talk to your supervisor, Data Coordinator, DSP, or ITS to discuss the situation. Feel free to contact AMAS if you feel you need to. We can discuss the situation with you confidentially.

Change your passwords often and follow good/strong password selection rules. Passwords can be guessed or hacked so it is important you choose good ones. Guidelines for selecting strong passwords can be found elsewhere on the AMAS web site.

If you have comments about any of the items contained in this document, or have a suggestion of something else that should be included, please feel free to send them to AMAS at amas@listserv.syr.edu 

Revised 04/18/07