Send Passwords and Restricted Data Securely

What does this mean?

Passwords and restricted data must be encrypted when they are sent electronically to reduce the risk of being intercepted and stolen.

NOTE: This specifically refers to internet based services that require a password. You should never EVER send your password through Instant Messaging, Voice-mail, Email or any other type of physical or electronic media. If you need to share a resource with another individual or group please contact InCHIP IT!

What Should You Do?

For Passwords:

  • Make sure your email client (Thunderbird, Apple Mail, Outlook, etc.) is configured for secure authentication (sign-in) and secure sending and receiving of email. This will encrypt your password when you log in.
  • See B, Web pages, below, for information about protecting your password on the Internet.

For Restricted Data:

Restricted data must be encrypted when it is sent electronically — either the transmission must be encrypted or the data itself must be encrypted. Follow the recommendations “For Confidential Data and Encrypted Restricted Data,” below, whenever possible when sending encrypted restricted data.

Standard, unencrypted email, instant messaging (IM), FTP, unencrypted web pages and other unencrypted methods of transmitting information are not appropriate for use with restricted data. Where encryption is not available, always de-sensitize restricted data before sending it.

Note: Sending restricted data in encrypted, password protected attachments is acceptable as long as the password is communicated separately and securely. Consider making use of the University File-locker System. The Filelocker application is a temporary, storage system for securely sharing and managing files and is available to all UConn faculty, staff and students.

For Confidential Data and Encrypted Restricted Data:

Always consider the following before hitting the “send” button:

  1. Do you have the ability to digitally sign and encrypt the email?
    If the answer is no then you cannot send the data via this medium. Please contact InCHIP IT for a free digital certificate. Alternatively you can use UConn’s FileLocker system to share the file securely.
  2. Can you reduce the level of sensitivity?
    The easiest way to protect confidential data is not to send it in the first place. Is it possible to de-sensitize the information before you send it?
  3. Should you be emailing it at all?
    Can you use the telephone or send a paper copy instead?
  4. Can you minimize the amount of confidential data you are sending?
    • Always read the entire email message before adding to it, replying, or forwarding. Delete confidential data that does not need to be included.
    • Start a fresh email when you’re starting a new subject. Don’t just add it on to another email — especially one that contains confidential data. Include as little confidential data as possible in the new email.
    • Limit distribution of any email containing confidential data to the smallest audience possible, and remember to include a conspicuous label that it is confidential (see below).
  5. Who are you sending it to?
    • Don’t distribute or forward confidential data widely or casually.
    • Don’t forward confidential data without appropriate authorization.
    • If you absolutely have to send confidential data electronically, only send it to people who absolutely need to receive it for University business purposes.
    • With email, check the entire “to” and “cc” fields before you hit “send” to make sure you know everyone you’re emailing. Remove extra addresses. Also, don’t use mailing lists if you’re sending confidential data.
  6. Is it labeled correctly?
    Email and files containing confidential data should clearly say so. Examples of language to include in files or email:

    • “Confidential data: Do not redistribute or forward”
    • “Confidential – Not For Public Disclosure”
    • “The information in this e-mail is confidential and intended solely for the use of the individual(s) to whom it was addressed. It may only be distributed to those with a University business need to know.”
    • If you’re sending an email, start the subject line with the word “CONFIDENTIAL”.

Additional Instructions For:

A. Email
Email and instant messaging (IM) are vulnerable to being intercepted. If you need to send or receive email, attachments, files, or IM containing restricted data, contact the InCHIP IT to set up a way to do this securely.

B. Web pages

  • Use known, trusted websites when you are logging in or providing information online. Don’t log in or provide sensitive information to a web page you reached by clicking on a link — in email, IM, text message, advertisements, Social Networks, search results, etc.
  • Make sure that web pages have https (not http) in the web address (URL) before you enter a password or any sensitive or personal information. The https means the information you enter is being encrypted during transmission, including your password. Check for this before you enter sensitive or personal information, including your password, online. If the page is not https, don’t log in and don’t enter the information.

C. Sending files
If you transfer files containing restricted data, contact the InCHIP IT to set up a way to transfer them securely. Don’t use FTP or Telnet to transfer files; use FileLocker, SFTP or SSH instead.

D. Using non-UConn computers or networks
When you use a non-UConn computer or mobile device, or you’re working from an off-campus location, you need to be extra cautious about protecting your passwords and restricted data. It is important to ensure that necessary security is not overlooked. This may mean taking extra precautions or not doing certain tasks on shared or public machines, including home computers, if you’re not able to ensure proper security. Never send or access restricted data from an unknown computer — or from a home computer or mobile device if you’re not certain it is set up securely. Use the University VPN for network encryption from off campus.

Special notes about wireless:

  • Information sent via standard wireless is especially easy to intercept. Don’t connect to unknown wireless hot spots/access points if you’re concerned about security or privacy (or your passwords).
  • Only use known, encrypted networks when working with sensitive information. UConn’s UCONN-SECURE and eduroam secure wireless is encrypted and is available to all UConn students, researchers, faculty, and staff when working from campus and other eduroam locations. Most coffee shop/hotel/airport-type wireless is not encrypted. If you’re not sure about a wireless network, assume it’s not encrypted.
  • When connecting to the Internet from off campus, use the the University VPN to encrypt your Internet traffic and provide a secure (encrypted) connection to the UConn network. The Campus VPN is available to all campus members with a NetID.
  • Set devices to “ask” before joining networks so you don’t unknowingly connect to insecure wireless networks.
  • You may not send/transmit credit card data via wireless unless your department has received formal approval from the Campus Controller, and you are using an approved, secure method of transmission.

E. Compromised computers
If a computer appears to be infected or compromised, don’t use it to send or access restricted data. Disconnect the computer from the network, turn off wireless, and contact the InCHIP IT for instructions.

F. IT Service Providers
If you are an IT service provider running an application that handles restricted data, make sure it is configured to require secure transmission of passwords and data.