Heartbleed: McGill Password reset required


Sent on behalf of Michael Di Grappa, Vice-Principal (Administration and Finance)

In April, we emailed you about the Heartbleed vulnerability and its potential effects on McGill. All of McGill’s central IT systems have been evaluated, and updates were applied wherever needed. That work is now complete. However, since the exploitation of Heartbleed leaves no log information on affected servers, there is no way of knowing whether credentials or data were compromised before the IT community was made aware of the vulnerability.

In order to ensure the continued security of confidential data and personal information you may have access to, we are taking the precaution of requiring all McGill staff to change their McGill Password without delay.

When changing your McGill Password, remember to make it complex (by adding symbols and numbers), and unique (don’t use the same password for online banking, cloud storage, social media, etc.). If you currently use the same password for other non-McGill accounts, you may wish to change those as well. That way, even if one online account is compromised in the future, all your other accounts will be secure.

To reset your McGill Password, log into Minerva (accessible through myMcGill or the Quick Links tab at the top of all McGill websites), and go to the Personal Menu > Password for McGill Username. The onscreen instructions include a link to the McGill Password Reset Checklist, which helps you identify various IT services, such as wireless or VPN, where you might have saved your McGill Password.

Note: If you have more than one McGill Username that is used solely by you (for example, you have a staff and a student account), your new password will be synchronized and apply to both accounts.

We take this opportunity to remind you that McGill will never send you a message to "click here to reset your password".

Thank you for keeping McGill’s institutional data secure.