Why the UIS might change a password
The UIS user name (CRS ID) and password is the key to accessing many University IT resources. For this reason, it has an inherent value to a potential criminal or cyber attacker. They are stolen and misused.
In these situations the solution is to change, or reset, the password as soon as possible; thereby removing the attacker's access and preventing further misuse of the account.
When possible, the UIS will try to contact an affected individual asking them to change the password. This allows the individual to maintain access to their account throughout. However, there are situations when this is not possible.
Examples that require the UIS to change a user's password
If the UIS has made a reasonable attempt to contact a user, or the compromise is considered high enough risk for an immediate action, UIS staff may be obliged to change the user's password. In these situations CamCERT, or other UIS staff, will place a request with the User Admin team.
The following examples illustrate when the UIS may change a user's password.
- A compromised email account, such as Hermes, is used to send spam. In this situation the user's password is changed immediately to stop the spam emails.
- Following a security incident, if a user does not respond to a UIS request to change their password within a sensible time frame (typically 2 working days), the UIS may change the password for them.
- A user cannot be easily contacted for an indefinite period e.g. prolonged sick leave. A consultation with the user's institution is normally undertaken before this done.
- The UIS becomes aware of a high-risk compromise. In these incidents the UIS may need to take immediate action and reset a user's password.
In each case, the UIS will attempt to contact the individual by emailing the local institutional IT staff to which they are affiliated, or by telephone.
eduroam and VPN network authentication token
eduroam and VPN authentication rely on a different password, referred to as the network authentication token. This works a little differently to the UIS password. CamCERT, and other UIS staff, are able to disable authentication to eduroam\VPN but without actually changing the user's token.
So in some incidents CamCERT will disable a token for the user as a precaution while an incident is resolved, enabling it again when the incident is over - but without having changed it. The user is then able to change their own network token if required.
What to do if your password was changed
If the password is changed by the UIS, the user must use the following process to get a new one.
Unfortunately CamCERT cannot provide the user with a new password, they do not have the necessary authority to do this.