Populi is designed to be a highly secure system, but system-level security can only go so far. Every user has the responsibility to keep their own account secure. Keep these things in mind:
Use login approvals if possible
Login approval is a security measure that helps protect your Populi user account by requiring an extra login "factor"—in this case, a passcode generated by an authenticator app on your smartphone. Since you typically have your phone with you almost all the time, when you enter the passcode, it serves as "physical" evidence that the person loggin in is, in fact, you. A remote attacker likely does not have access to your phone and therefore cannot log in, even if he has your username and password.
This article describes how to set up login approvals for your user account.
If you're an account administrator, read about how to allow or require your users to use login approvals.
Protect your password!
Populi has a highly secure password policy that requires all users to have strong passwords not easily guessed by automated tools (it also disables accounts that are under attack from such tools). However, this does not provide full protection by itself. It's up to every user to follow these best practices:
Keep it secret
Never give your password to anyone, for any reason. No one from Populi will ever ask for your password! Anyone who does ask for it is trying to hijack your account. If anyone claiming to be a Populi employee asks for your password, hang up, delete the email, tell 'em to go fly a kite—and then report the incident to Populi support. Include stuff like the phone number from your caller ID (if available) or the person's reply-to email address.
Don't write it down!
Don't write down your password. But if you really must, PLEASE don't keep it in an insecure place, like an unlocked desk drawer or a post-it stuck to your screen or written on a piece of paper with pen, pencil, marker, paintbrush, or other writing instrument. Oh, one more thing on this: Don't write down your password. Did we mention that already?
Long, memorable, "unguessable" passwords are best
Long passwords are better. And memorable passwords are great—it's much easier to not write down a memorable password! No password is perfect, but we like to use sentences or several random words put together. My koala baby champion turns 13 is long and memorable. Now that I've written it down, you shouldn't use it... but you get the idea.
Also, avoid using "guessable" passwords. Your last name followed by your date of birth is very guessable! And while you're at it, don't use the same password you use for any other sites.
Keep it in a keychain
There are many worthwhile "keychain" or "password safe" programs that store your different logins/passwords in a secure, encrypted vault on your computer. These programs are a great way to keep multiple complex passwords on hand for the different password-protected programs you might use during the day. Mac users running a newer version of OS X can use the built-in Keychain program. There are also several reputable apps and services like 1Password that can help you out.
Protecting your sessions
You begin an authenticated session whenever you log in to Populi. This session doesn't end until you log out manually or the system logs you out after a period of inactivity. Follow these guidelines to make sure no one else can take advantage of your sessions to gain access to your account.
- Log out every time: Always log out of Populi before you leave your computer unattended, even if only for a few minutes.
- Be cautious with public computers: If you're careful, you can safely use Populi from a public computer. However, we do not recommend you do this regularly, and you should always use extra caution. And by no means should you ever list a public computer as a trusted device.
Don't forget physical device security
Make all your desktop computers and laptops require a password to log on. Set them to go into "sleep" mode after a few minutes of inactivity. Likewise for any phones or tablets you're using. Populi keeps track of all the devices which have been used to log in to your account in recognized devices in your personal settings.
Reduce virus risk
If your computer gets infected with a virus, all your information can be compromised, including your Populi account. So use an updated anti-virus program and avoid downloading and running software from untrusted web sites or emails. Always install the latest updates for Windows or Mac OS, since these updates often patch serious security holes.
Protect data exported from Populi
Populi allows export of nearly all personal data in the system. These files need to be protected just as much as your Populi account. Avoid keeping such files on your computer longer than they are needed. Consider using file or disk encryption tools to provide additional protection, especially for laptops which are more commonly stolen.
Beware of "social engineering" and "phishing"
Social engineering refers to a variety of methods where attackers attempt to learn your password or change it by using some false pretense. For example, they may send out an email urging you to log in to your account to fix an emergency—but the link in the email leads to a fraudulent website. Or they may attempt to gain access by having an admin send a password reset email to a fake address. To avoid getting caught in this scam, remember...
- Keep your personal email addresses secure and safe! Since password resets and other sensitive login information often use your personal email (not just Populi, but likely also your online banking, etc.), you want to make sure your email address(es) are completely secure (good passwords, two-factor authentication where available, etc.).
- Never click on a password-reset email unless you yourself requested it—either by using one of the built-in password reset functions or by requesting help from college staff.
- If you're unsure whether a message like this is genuine, log in to Populi directly instead of clicking on untrusted links.
- No one from Populi or your school will EVER ask for your password via phone or text. Report such communications to us immediately.
- For more anti-phishing tips, see How to Avoid Phishing Scams at www.antiphishing.org.