I switched to HarvardKey recently. Isn’t this more secure?
HarvardKey is more secure than our previous identification systems. It requires stronger passwords, improves our ability to detect account compromise, and provides two-step verification. Harvard will always be a target of attackers, but the new security features built into HarvardKey will help limit the impact of security incidents.
What types of data have been exposed?
At this time our investigation indicates that encrypted versions of some passwords, the hashed values, may have been exposed. We have no indication that Harvard systems managing research data or sensitive personal data (e.g. social security numbers) have been targeted or exposed.
How do I know if my HarvardKey password is at risk?
On June 6, 2016, Harvard University sent an email to members of the community who may have been affected by this intrusion—specifically, FAS Active Directory account holders. Members of the Harvard community who do not have FAS Active Directory accounts—and who therefore did not receive this email directly—were not affected by this intrusion.
Should I change my password, even if I use HarvardKey?
Yes, you should change your HarvardKey password. Instructions on how to do so are here. The encrypted password value (hash) gives the attacker the ability to guess at your password an unlimited number of times. Shorter and simpler passwords are at the greatest risk of being discovered, while longer complex passwords are more resistant. If guessed, the password can be used to access HarvardKey protected resources, though we have no indication that this has happened or was the goal of the intrusion. Changing your password eliminates the risk of a possible match to the encrypted version of your password.
Should I change other passwords besides my HarvardKey because of this intrusion?
No. Harvard Information Security has no indication that other passwords used on Harvard systems were exposed as a result of this intrusion. As a common practice, you should use unique passwords across different services so an exposure in one place does not put other logins at risk. A password manager like LastPass can help keep all your unique passwords organized. Get a free premium LastPass account at security.harvard.edu/lastpass.
What is two-step verification?
Two-step verification is a security feature that uses your phone to help protect your information, even if your password was exposed. With HarvardKey, this second step could be clicking an accept/deny message sent to a smartphone or entering a code generated on a mobile app. Since cybercriminals don't have physical access to your phone, they can't break into your account. You can set up two-step verification on HarvardKey here.
If I have two-step verification on my email, do I need to activate the HarvardKey two-step verification (Duo application)?
Yes, you need to separately set up two-step verification for HarvardKey, as it uses a different application than two-step verification on Gmail or Outlook. The Duo application we use for our two-step verification can now remember your confirmed login from a particular computer for 15 days. Just click the "remember me" box before logging in.
If I use LastPass, do I need to use two-step verification on my HarvardKey?
LastPass is a powerful password manager offered through Harvard that securely stores all your login credentials. However, even with LastPass or another password manager, your encrypted passwords will always be a target for cybercriminals. Two-step verification adds even greater security to account logins and should be used where it is offered. The Duo application we use for two-step verification with HarvardKey also works with LastPass, as will other two-step verification services. To use Duo two-step verification with LastPass, follow the prompts within LastPass to use Google Authenticator and simply substitute the Duo mobile application in place of Google. The Duo set-up process with LastPass is the same experience as with HarvardKey.