Thursday, January 8, 2026

January is a natural reset. New calendars, new classes, new research projects, and a chance to refresh habits that protect everything we do at the university. This month’s security focus is simple but powerful: strong passwords, multi-factor authentication (MFA), and good credential hygiene. 

Stolen credentials remain one of the most common ways attackers gain access to university systems nationwide. Bad actors don’t usually “hack” their way in. They log in using reused, guessed, or stolen passwords captured through convincing phishing messages and previous data breaches. The good news: a few practical steps dramatically reduce that risk. 

Strong passwords: Length and uniqueness

A strong password is not about symbols no one can remember. It’s about length, uniqueness, and never reusing a password across systems. A long passphrase you have not used anywhere else is far more resilient than a short, complex password reused on multiple sites. Something that you can remember like a sentence about what happened in your life recently can be a good start at a long, but memorable, passphrase.

MFA: Your digital seatbelt

Multi-factor authentication (MFA) is one of the most effective defenses available. According to national guidance from the Cybersecurity and Infrastructure Security Agency, MFA can stop the majority of account takeover attempts, even when a password is compromised. Many of our systems already support it, and enabling it means that a stolen password alone is not enough for someone else to get in. Think of it as a deadbolt on your door, simple to use and incredibly effective. 

Credential hygiene: A habit, not one-time task

For good credential hygiene:

  1. Change passwords if you think your account has been compromised or you may have clicked on a link or attachment in a suspicious email.
  2. Never re-use passwords between different accounts.
  3. Be cautious with unexpected login requests or “urgent” account warnings.
  4. Never approve multi-factor authentication prompts you did not initiate.         
  5. Report suspicious email or activity early.

Recent awareness campaigns across campus have shown how quickly phishing messages evolve, from fake document shares to job offers and research-related lures. Early reports from faculty, staff, and students have repeatedly helped the security team contain issues before they spread. That shared vigilance matters. 

If you have questions, need help enabling MFA, or want guidance tailored to your business or research needs, campus partners are encouraged to contact the Information Security and Policy Office (ISPO) at it-security@uiowa.edu. ISPO is here to help you securely meet your business and academic goals. 

New year. New passwords. Stronger community. 

Related service(s)
IT Security Information