From your remote access page:

The formula for a username is:

firstname.lastnameyy (where yy represents the last two digits of the year you were first admitted to SJU. Note: If you are a graduate student who attended SJU as an undergraduate, use your graduate year of admission.)

The formula for a password is:

mmddyy (which represents your birthdate. Note: if you changed your password for any reason, use the new password rather than the mmddyy combination.)

Example:

Susan Smith was born February 9, 1986 and was admitted to SJU in 2003.
Her username is susan.smith03

Her password is 020986 (unless she has changed her password herself)

Your passwords system for your remote log-in is systematically vulnerable. You're basically telling the world how to log into your proxy on the from this help page. Someone can find a student on facebook from your University to find the user name and then find a birthday and an admission year either through looking the info up on the page or using a program to guess the date.

It's very easy to use a little bit of social media investigation to figure out these passwords into your remote databases.

You'll need to change your password scheme to something that is more robust so that someone looking to gain access to your data cannot guess or find it. You could try randomly generating an alpha-numeric password and having the students request it be sent to their email the first time they need to access materials remotely and then regenerate the passwords every semester.

Also when a breech occurs you should not ask the user to change his or her password, rather you should change it for them and inform them of the problem.

James Hodges

Asst. Systems Admin

University of New Orleans Library

On Tue, Oct 21, 2014 at 12:44 PM, Tian Zhang <ZHANGT@stjohns.edu> wrote:

Recently, one of our online resources was blocked by the publisher because it was systematically downloaded by compromised accounts from other countries. We found out the accounts and tried to block the IPs, and also asked the owners of the accounts changed their password. But it does not work. The hackers still steal our journal articles.

If any of you have the experience of dealing with this kind of problem, I would like to get your ideas. You may contact me directly if you like.

Thank you in advance.

Tian Zhang
Serials Librarain
St. John's University Library
Tel. 718 990-5082
Fax. 718 990-5938
Email: zhangt@stjohns.edu

To unsubscribe from the SERIALST list, click the following link:
http://listserv.nasig.org/scripts/wa-NASIG.exe?SUBED1=SERIALST&A=1