“Ithaca.” “IthacaCollege.” “Bombers.” “Password.” Your e-mail address. Your first or last name.

What do these all have in common? They may be easy to remember, but they make lousy passwords, and yet a number of people at Ithaca College have chosen these and other simple, easily guessable words or phrases as their Ithaca College e-mail password.

Now let’s jump to an Internet Café in Nigeria. A person sits down at a computer,  and connects to the Internet via a provider in Israel (to help cover their tracks). From there, they cross the Atlantic to our shores and access our Webmail server. Using a list of Ithaca College usernames they have obtained from various Web sites like Facebook or myspace, they try to log into each account by using one of the simple passwords listed above.

After trying a few account and password combinations, they find one and go to work. First, they set the e-mail account to automatically forward any message sent to it to their own e-mail drop box. They change the e-mail signature to include their scam message. Then they change the reply-to address.

They begin using the account to send out illicit messages. Ten to twenty thousand of them, each containing a bogus job offer, asking for assistance with moving some money out of their country or announcing a bequest from an unknown benefactor. All of this is originating from the compromised e-mail account.

In addition, they may look through the inbox or other mail folders. And any messages sent to the account are now being forwarded directly to them. They may find account names and passwords for other accounts, or orders that were placed with Amazon.com or other Web sites.

Fiction? Something out of the latest Tom Clancy novel? Nope. Unfortunately, scenarios such as this have occurred to more than a dozen people at Ithaca College during the past six months. While there are other ways people can learn someone’s password, in most cases, the accounts had simple passwords.

Having a strong password would have prevented many of these compromises. To that end, within the next couple of months ITS will be implementing new stronger password requirements for all e-mail accounts (and any service that uses your e-mail address and password as its login, such as WebCT, ICAirnet, EZ Proxy, Calendar and ACE/Argus). These requirements will be similar to those already put in place for Parnassus last year.

Even though everyone will need to change their password when the new requirements roll out, if your e-mail password is easy to guess, change it now (using the “Change Password” option). Recently, two more IC accounts with weak passwords were compromised. We do not want yours to be next.

Suggestions for a strong password can be found at http://www.ithaca.edu/computing/quickguides/pdfs/pwds_strongerPasswords.pdf.

Behind the scenes, ITS continues to increase the security of our systems and services. But without a secure password, the front door is left open for anyone with the desire and a little time on their hands to gain entry to your account.

The threats are real. And the compromises happen to people on our campus. A simple step of choosing a secure password will go a long way.

David Weil is the Director of Web, Systems and Departmental Services in Information Technology Services.  E-mail him at dweil@ithaca.edu.