Communications and Information Technology's Information newsletter

January/February 2004

Content
. . . New Password Policy for IANR
. . . Safeguard Your Data: Organize and Make Backups (see September 2007 update)

New Password Policy for IANR

Over the course of the next several months, CIT will begin to enforce a more robust password policy for computer resources supported by CIT. There is no question that passwords can be a troublesome nuisance — with everything from office computers to bank accounts to television asking for some PIN or phrase in order to pass. But passwords are to be used to protect your work, your money, your personal information, access to the UNL network, etc.

Truth be told, most of us choose the path of least resistance when it comes to choosing and managing our passwords. Common strategies include picking easy to remember words or names: our address, birth date, or something else just as easy to remember. Another idea is to use the same password as often and whenever possible. Sometimes even these simple strategies are thought to be too insurmountable and we are reduced to writing the password on a piece of paper taped to the computer monitor.

Weak passwords cause security risks

Passwords are inconvenient by design. Making the password easy to find or remember is good as long as it is not easy to decipher or learn by someone else. Would someone guess your password if they tried duplicating the login ID or your phone number, spouse’s name, address, or birth date? Are they getting close?

Another consideration is that traffic passed over the network can be intercepted. Intercepting passwords is something that can be done with specialized software. One type of login/password traffic is called “clear text.” This sort of transmission, if intercepted can be as easy to read as the words on this page.

Many systems, such as a local area network (IANRDOM), Lotus Notes Client, and secure web servers (https), send encrypted passwords. Encryption schemes use a key pair (electronic equivalent of a magic decoder ring) to scramble the password before it enters the network and unscrambles the transmission upon its arrival at the destination computer.

If someone intercepts an encrypted password and lacks the key, a number of tools can be used to guess what the password might be. The first set of guesses tries every word in the dictionary (along with the most common names). The first run takes but a few seconds at most. If the password escapes deciphering using dictionary words then various character combinations are tried. If the password was one character long (or two), this exercise is trivial. The difficulty of cracking a password increases exponentially as the password lengthens — as long as it is not all letters or all numbers.

New policy to begin May 1

The new password policy and practices will begin on May 1, 2004. The first order of business will be to make sure sensitive information is protected by strong passwords and encryption technology. Faculty, staff, and students who connect to the IANRDOM local area network will be required to have a more robust password consisting of at least 10 characters including upper and lower case letters and at least one numeric character. Everyone will have to change these passwords at least once each year. We in CIT are well aware that this policy constitutes a big change for most of us. We believe that the emergence of network intrusion tools and other nefarious software makes such a move necessary.

The first priority will be to address systems which include potentially sensitive and private information such as the desktop and personal network resources. Web pages and other logins will begin to use encryption schemes as soon as such technologies can be put in place.

As May 1 approaches, more information will be made available to help users manage passwords. Documentation of the policy and useful suggestions for constructing strong passwords will be located on the CIT Computing website.

~ Ron Roeber

Two methods for creating passwords that are reasonably secure, but not impossible to remember

Method 1:

  1. Choose a couple of words that are not directly related to each other but that you can remember. (e.g., dogs, ball)
  2. Change one or more of the letters in the words to upper-case letters, numbers, or symbols. (e.g., d0gs, bAll)
  3. Join the words with one or more non-alphanumeric symbols to get the final password. (e.g., d0gs$$bAll)

Method 2:

  1. Choose a song lyric, quote, or other sentence that you will easily remember. (e.g., There is no place like Nebraska)
  2. Use the first letter of each word, mixed case. (e.g., TinplN)
  3. Change one or more of the letters to a number or symbol, or add a symbol or number to the beginning or end. (e.g., 16TinplNE!)

NOTE: Do NOT use these samples for your password.

Posted February 19, 2004


CIT Information is published by Communications and Information Technology, Institute of Agriculture and Natural Resources, University of Nebraska-Lincoln. Newsletter articles may be copied and distributed for nonprofit, educational purposes only and the source must be acknowledged. Direct all correspondence to the editor, Pamela K. Peters (E-mail: pkpeters@unlnotes.unl.edu; Phone: 402/472-5630; FAX: 402/472-5639).

The University of Nebraska-Lincoln is an affirmative action - equal opportunity employer.