In a cybersecurity survey of 485 large colleges and universities, the Massachusetts Institute of Technology came in at the bottom of the list.
In a report released today, SecurityScorecard analyzed the educational institutions based on web application security, network security, endpoint security, IP reputation, patching, and other security indicators.
SecurityScorecard's chief research officer Alex Heid said they have a feeling that MIT's low scores were due in part to its cybersecurity research efforts.
"They do their own malware research," he said. "They run honeypots. They're running TOR exit nodes."
But that's only part of the story, he added.
"When we dug in, we found that there's a lot of exposed passwords, old legacy systems, and a bunch of administrative subdomains that seem to have been forgotten about," he said.
Other problems included instances of the old Conficker worm, vulnerable ports, and old services still up and running which shouldn't be running anymore.
It's common at colleges for students and faculty to move on and forget to shut down old projects, Heid said.
MIT received high marks in web application security, DNS health, and application security.
MIT's failing score for password exposure did not actually count towards MIT's low overall score, he added, because often passwords are exposed when students and staff reuse credentials on other sites which are breached.
Organizations aren't penalized for factors out of their control, he said.
But all 10 of the lowest-scoring institutions in the report received a failing grade for exposed passwords, Heid said.
"When we look at the actual sources of breaches for universities, a lot of the breach information was from the university itself," he added.
The school with the highest scores? Merced Community College in Merced, California.
Educational institutions tend to worse on security metrics than similar-sized organizations in other sectors, said Heid.
They often use students to run some of their infrastructure, he said. "And mistakes are encouraged because that's how you learn."
In addition, companies in finance, insurance, or defense are likely to have professional security teams in place to make sure that problems are few, and are fixed quickly when they arise.
For example, it takes educational institutions an average of 28 days to patch critical vulnerabilties, said Heid.
"That's a long time compared to other large institutions," he said.
In addition, universities have traditionally been a favorite stomping ground for hackers, he said. "That still holds true today."