Password and Duo Security

Over the past month, the Division of Information Technology (DoIT) has seen an increase in password compromises. Whether through phishing attempts or brute force attacks, there are plenty of ways of preventing your account from becoming compromised:

• Do not accept any Duo Pushes that you did not initiate.  Once an adversary is able to crack someone's password, they still need to get through Duo’s two step verification process. If you see a suspicious push sent to your device, deny it and report the attempt. For more information, please visit this FAQ article.

• Regularly change your password. Old passwords that are used for multiple services are susceptible to being compromised. DoIT recommends using a unique password for UMBC and changing your password periodically in case your password has been compromised in the past. Check out this article on how to change your password.

• Check your backup reset email and security questions for changes. Once an adversary has gotten access to an account, they will often try to establish persistent access to it by changing the reset email and security questions. To make sure your Information has not been changed, check to see if your recovery information is correct. For information on how to view and update your security questions, refer to the How do I setup my security questions to reset a forgotten password? FAQ.

If you find that your password is no longer working, it is possible your account was scrambled or locked.

We scramble an account if: 

• There are signs that the password to the account has been compromised. If your account is scrambled, all you need to do is reset your password.

We lock an account if: 

• There are signs that an adversary has gotten past Duo’s two-step authentication and has changed the recovery information to the account. In order to recover a locked account, you will need to contact security@umbc.edu to verify your identity.