What’s Shibboleth?

You may have noticed a new screen that comes up when you log out of certain HampNet services. What’s it all about?

Hampshire has been working with the other four area colleges to allow students from any of the campuses to log in to each other’s services in a transparent way. By using Shibboleth, a UMass student, for instance, can log into UMass network services, and then visit a Hampshire Moodle page, all with just that initial log in; behind the scenes, UMass is handing off information that allows Hampshire to log the student in. This simplifies the process for students, and helps to make our services more secure.

Once we started working with Shibboleth we realized that it has potential benefits for our in-house services, such as the Intranet and Hampedia, so we started using it there. That’s why you see the Shibboleth logout screen when you use one of these services.

Anatomy of an IT Message

IT occasionally sends out important messages to the campus. How can you tell if it’s really a message from us, and not a scam? Here are some concrete examples of differences between our important messages and a phishing message.

  1. Our important messages appear both on the Intranet and in your email. When we want everyone on campus to know about something, we use the Intranet announcement system. If it’s critical, it appears in your email as well as the Intranet; if it’s not critical, it appears only on the Intranet. Important IT messages are never sent to the entire campus without being posted on the Intranet. Note that sometimes we do smaller, targeted emails without posting to the Intranet, but in that case you can use some of these other tips.
  2. The instructions tell you what to do (for example, “type ‘password.hampshire.edu’ into your web browser”), instead of providing you a link to do it.
    A link can look like it’s going one place, but actually take you to somewhere completely different. It’s always safest to type in the address you want to go to, especially if you’re dealing with a security matter.
  3. The message is sent from HCAnnouncements@hampshire.edu. Sometimes we do send messages to a group of people using other mechanisms, but in that case you should be able to recognize the address as that of someone in IT at Hampshire. Note that this is not in and of itself a guarantee, since even our accounts can be compromised, but it’s a good piece of evidence.
  4. The message is signed by with a specific name that you know from Hampshire IT. In most incidences of user ID/password theft, the name of the person would not be stolen. If you aren’t familiar with the name, you can use your browser and type in “directory.hampshire.edu” to look the person up.

These clues, combined with your good judgment, should provide adequate protection for you. If you’re in doubt, contact the IT help desk.

Mind Your P’s and Q’s…and p’s and q’s

It’s important to use the correct lower case/upper case combination when logging into Hampshire services.

If you have trouble logging into a Hampshire online service, double-check that you’re entering your user name with the correct case combination: initials are in lowercase, department code in uppercase.

There are some services that will still allow you to log in even if you use the wrong case combination, but it’s still not a good idea. We’ve seen instances where it appears the user has successfully logged in using the wrong case, but then some services don’t work correctly. That’s because your login ID may get passed along to another service that does require the correct case.

Get in the habit of typing it correctly every time and you shouldn’t experience any problems.

Secure Password Tips

Before You Change Your Password
Hampshire passwords have to be changed every 365 days. If you are required to change your password, you will receive email messages telling you when it must be changed.

If you want to change your password more frequently, go right ahead. There’s no reason not to change it; just go to password.hampshire.edu.

If you change your password, you will also have to change it on any phones or devices that access Hampshire email or calendar services.

If you don’t have your cell phone or access to email, opt out of the alternate contact method. If you choose an alternate contact method a code will be sent to the device or account, and you will have to enter the code to continue. If your cell phone isn’t with you or you can’t access your alternate email right away, you can backtrack and choose to opt out.

If you are choosing security questions, be aware there are multiple options for each question. Just click on the questions to reveal the other choices.

Password requirements are more strict than in the past. You will need to use at least 8 characters, one non-alphabetic character, one capital letter, and not use words found in the dictionary. Ideas for creating good passwords can be found below.

Pick something you can remember without writing it down. Kind of defeats the purpose if you put it on a sticky note on your computer.

Don’t have Firefox or Thunderbird remember your passwords unless you first set a master password. See below for details.
Choosing a Great Password
Read the Hampshire IT password policy
Poor, weak passwords have the following characteristics:
The password contains less than eight characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.
Computer terms and names, commands, sites, companies, hardware, software.
The words “Hampshire College” or “Hamp” or any such derivation.
Birthdays and other personal information, such as addresses and phone numbers.
Word or number patterns such as aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above, preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters (e.g., 0-9, !*_+)
Are at least eight alphanumeric characters long.
Are not a word in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
So, how can you come up with a strong password? On the one hand, it should be something that can be easily remembered, so that you’re not tempted to write it down or store it online. At the same time it should have those pesky characteristics of a strong password, which can seem somewhat daunting at first glance. It might seem like those are mutually exclusive characteristics, but they don’t have to be.

One way to do this is create a password based on a song title, line from a movie, affirmation, or other phrase. For example, the phrase might be: “This May Be One Way To Remember” and the password could be: “TmB1w2R!” or “Tmb1W>r~” or some other variation. Whatever you do, if you start with something personal and unique, and then make it unidentifiable with your own coding, you’ll end up with a great password.

Oh, and please don’t use any of our examples!
Password Security: Keep Your Password Private
Do Not Save Passwords in Browsers or Email Applications
If you’re a Thunderbird or Firefox user and have ever allowed them to save your password, you might want to think again. Try this…
In Thunderbird go to the Thunderbird?Preferences… (Mac) or Tools?Options… (Windows) menu.
Click on the “Security” icon.
Click on “Passwords.”
Click on “Show Passwords.”
Click “Yes” to confirm.
If what you see is a list of passwords, please click “Remove All.” It will mean that you have to enter your password for sending and receiving mail once per each Thunderbird session, but it’s worth it. Just think: Not only can anyone who sits down at your computer log into your email, they can see, in plain text, what your password is. Enough said?

Now that you’ve removed your saved passwords from Thunderbird, do the same thing with Firefox. Please.
How to Use a Master Password in Firefox or Thunderbird
Recently we told you why we don”t like users to save their passwords in Thunderbird or Firefox. If you still want to save your passwords, set up a master password to protect yourself.

Thunderbird and Firefox are always offering to save passwords you enter. It makes life easier not to have to enter them all the time, but one problem is that anyone who opens your Thunderbird or Firefox can request to view your saved passwords. A master password safeguards against that: In order to view saved passwords you have to know the master password.

Creating a Master Password
In Thunderbird, select Thunderbird–>Preferences (Mac) or Tools–>Options (PC). In Firefox, select Firefox–>Preferences (Mac) or Tools–>Options (PC).
Click on the Security padlock icon.
Check “Use a master password.”
Enter a new master password, something you will remember but that is sufficiently secure to deter snoopers. You will have to type it twice, the second time for verification.
Click on “OK” and then close up the Preferences/Options, and you’re all set.
You will be asked for the master password any time you request to view saved passwords.

If you Forget the Master Password

There is a way to remove the master password if you forget what it is. The catch is that, for security reasons, doing this will also force Thunderbird or Firefox to forget all saved passwords.
Type “chrome://pippki/content/resetpassword.xul” into the address (left side) bar.
Press the Enter or Return key.
Click “Reset.”
Confirm that you want to reset it and you’re all set.
Choose Tools –> Error Console
Paste the expression:
Click “Evaluate.”
Confirm the reset.
Click “OK.”
Close the window.

Moving iTunes to an External Drive

If you keep a large iTunes library on your Hampshire computer, we’d really appreciate it if you’d move it to an external disk. We’ve got step by step instructions to help–you just have to provide the external drive.

Why this Matters to Us
When we provide you with a new Hampshire computer we have to copy your files from the old computer to the new one. A typical user will have a couple of gigabytes (GB) data to copy, not counting iTunes; this takes us a matter of minutes to copy. We’ve seen iTunes libraries that run to 50 or 60 GB, which can take hours to copy.

Of course, if the iTunes library is part of some official Hampshire project, we’re more than happy to copy it, regardless of the size.

How Big a Drive?
If you’re buying a drive to hold your music, you’ll want to make sure it’s large enough to hold future purchases as well as your current music. You can get a 500GB external drive for less than $100, which is more than sufficient for any libraries we’ve seen.

If you’ve got an external drive that you use for backups that has room on it, you can use that drive. If you have to buy a new disk just to hold your personal iTunes library, that is, of course, a personal purchase.

We do not advise using a thumb drive for storing your iTunes library–unless of course you don’t really care about what you might lose.

How to Move the Library
You can find instructions for moving a Mac iTunes library at http://support.apple.com/kb/ht1449 and for Windows at http://support.apple.com/kb/ht1364.

Email Setup and Settings

If you change your email password…
We’ve asked all who use Hampshire email to change their passwords regularly. It’s really easy to change your HampNet password (just go to https://password.hampshire.edu), but once you’ve done that you have to tell all the devices you use that you’ve changed it.

What does this mean?
If you have a smartphone or iPod Touch (or an iPad, for that matter), then you need to update the email password on that device.
If you use an email client, such as Thunderbird or AppleMail, you will have to update the password for that on each computer. .
There are actually two passwords stored for each email account: one for incoming mail and one for outgoing mail. The incoming one is usually referred to as just that, the “incoming password;” the outgoing password is referred to as your “smtp password.” Both have to be changed to reflect your new password on HampNet.
WebMail is tied into the HampNet password system, and once you change your password no further action is needed. .
If you synchronize your device’s calendar with Zimbra you will need to update that password on your phone. .
Zimbra desktop (if you use it) will have to be told your new password.
iPhone, iPod TouchOn an iPhone, iPod Touch, and iPad
From the main screen select “Settings.”
Select “Mail, Contacts, Calendar”
Select your Hampshire account.
Scroll down to “Password” and update it to your new HampNet password.
Select SMTP.
Select smtp.hampshire.edu.
Update your password to your new HampNet password.
If you synchronize your calendar with Zimbra, keep on going; if not, you’re all done!
Use the back arrow until you return to the Accounts page of the Mail, Contacts, Calendar settings.
Select your Connect account.
Select “Account Info”
Change the password.
There are several models of Droid phones out there, but there are two places where you may find the password:
In the main screen’s “Setting” program, you may find an “Email” section that has account information.
In the Email application, bring up the “Settings” menu, and see if account information is stored there.
If you synchronize your Zimbra calendar with your Droid you should also change that password. In that case, check for Settings in the Calendar application, and if you don’t find the password stored there, check the Settings on the main screen.
Thunderbird will let you know if the password isn’t accepted, and you’ll have an opportunity to enter it,.
If this isn’t helping
There are lots of different possibilities for entering your password on various devices. If you need more help specifically with getting email or Zimbra working again on your handheld device, contact helpdesk@hampshire.edu.