Image Image Image Image Image Image Image Image Image Image

The Blue & Gray Press | May 23, 2018

Scroll to top

Top

Passwords to Expire, Reset Every 90 days

Passwords to Expire, Reset Every 90 days

In order to improve the security of the University of Mary Washington login systems, the majority of students may find themselves facing a login screen informing them that they are required to change their password upon returning to campus from winter break.

According to Dana German, vice president for information technologies, the University of Mary Washington will be making some security and technological changes beginning Jan. 3, 2011 to comply with information technology regulations.  There will be new password requirements as well as a new guest wireless registration procedure.

The new password complexity rules require that students make their passwords at least eight characters in length and include one number and one letter.  The passwords must also contain both upper- and lowercase characters, German said.

According to German, the login systems that will be affected by the new password regulations are EagleNet, Blackboard, Active Directory (using the UMW login option on lab and classroom computers), CleanAccess for wireless network authentication, the EagleOne Card System, and Library A-Z Databases from dorms and off-campus locations.

However, according to a document from German, student email accounts and the Apogee network will not be impacted by these changes.

A new guest wireless access registration is also required as of Jan. 3.
Passwords will expire every 90 days.

“Whenever you do change your password, that’s when your clock starts ticking,” said German.

As such, any student who has changed his or her password in the 90 days preceding Jan. 3 will not be forced to create a new login until that 90-day period has expired.

Some students may wish to reset their passwords before they go home for break, German said.

Recycling passwords will also be limited by the new information technology regulations.

“You can’t reuse the same password within 24 changes,” German said.

“Guest users will be required to complete an online self-registration process.  Each self-registration process will be valid for a 24-hour period,” according to German’s document.

“I can see this being a major source of frustration for students,” said senior Cara MacDonald of the new policies.

“It seems very safe, [because] there won’t be so many hacks and whatnot,” sophomore Brittany Lambeth said.  “But that’s a lot to deal with, especially because you can’t rotate.  You have to come up with something brand new.”

The regulations may change as time passes.

“We’re still ironing out some of the details, so it’s possible that there will be some variations and change,” German said.

Photo by Marie Sicola/Bullet

Comments

  1. Matt

    This is insane!

    This will serve three major purposes:
    1. It will encourage people to write down their passwords and stick them to easy-to-find things.
    2. It will increase the number of lost-password calls when people misplace said written down passwords.
    3. Inevitably, the passwords will expire at the worst possable moment. When that final project is due, you’re late for class, and need to print it. That’s when it’ll make you create a new password. As a result, users will throw in anything to get in at first, and forget what they put, and forget to write it down.

    How do I know? I worked for another college’s helpdesk and it was a regular occurance to move a professer’s workstation and they’d have a post-it stuck there with their latest password written on it.

    It would be far more effective to make a very long password, complex password requirement (e.g. 12 characters) that requires at least one each upper & lower case characters combined with at lest one number or symbol. Then, encourage users to create a phrase for their password.

    Think about it — which is more secure? Having 10 passwords that are “password1” “password2” “password3” etc. changing every X days or having one password that’s something like “This-Is-My-Stuff@UMW2010” that stays for a long time?

    If you don’t think the word “password” is a likely candidate for a user’s password, you might be want to take a look at the top 10 passwords so you can avoid them:
    http://www.pcmag.com/article2/0,2817,2113976,00.asp

    And here’s some info about how to create a really good password, direct from Microsoft:
    http://www.microsoft.com/protect/fraud/passwords/create.aspx

    Security is good, but making people change their passwords more than once per term is asking for trouble!

  2. Megan

    I agree with Matt. Having been under an identical password system in high school, I and many of my fellow students followed the “Password1” “Password2” “Password3” trend. Either that, or you’d see students trying 6 or 7 different passwords towards the end of the year because they can’t remember which one they set last, and inevitably forgetting it but remembering all the priors and having to contact the help desk for it. It’s a very frustrating system, and I’m far more comfortable with the alternative Matt suggested. Once a semester, and very lengthy/complex is far more practical. We memorize enough in our college careers, let’s not make us learn 6 different passwords each semester too. 🙂

  3. MP

    “We’re still ironing out some of the details, so it’s possible that there will be some variations and change,” German said

    Well, how about until you iron out everything so that the students are happy with this new idea, or make it two times at most per semester, don’t do it.

  4. Zhen

    Changing passwords every 90 days is excessive. I’m fine with 8 letters without capitalization and numbers but changing them every 3 months is too much.

  5. Another Matt

    These new security measures are a good thing. They are bringing our technology infrastructure more in line with standard best practice as well as in line with the state mandated requirements. These policies are not extravagant to anyone who understands computer security and password strength. Any password no matter how long or complex it is can be broken, it is just a matter of how long a person has to try and crack it. By making passwords moderately complex and changing them regularly, as the school is now requiring, would prevent a password from being “in service” long enough to be cracked by a malicious user. I would suggest that individuals try to understand a little bit more about how passwords and the surrounding technology really work before criticizing this policy. We are in academia after all.

  6. Another Matt wrote: “Any password no matter how long or complex it is can be broken, it is just a matter of how long a person has to try and crack it.”

    A 12-character, alphanumeric, mixed punctuation password takes about 10 million years to crack, with a modern desktop computer, according to this site: http://howsecureismypassword.net/

    I certainly don’t have that long, and I don’t think anyone else does.

    Also, what about research that concludes complex security and password policies are simply a (costly) waste of time? Here’s a link: http://docs.google.com/viewer?url=http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf&pli=1

    As the anecdotes in these comments demonstrate, users are likely to choose shortcuts that actually make their login *less secure*, when they are presented with too much complexity.

    To put it another way, the “in service” time of a password has little to do with its crackability, if it’s secure enough in the first place.

    I’m not a security expert, but this makes sense to me: pick a good password and stick with it. Bruce Schneier seems to agree: http://www.schneier.com/blog/archives/2010/11/changing_passwo.html

  7. Another Matt

    zach wrote: “A 12-character, alphanumeric, mixed punctuation password takes about 10 million years to crack, with a modern desktop computer, according to this site: http://howsecureismypassword.net/

    While this might be true, it completely ignores the risk of distributed computing atacks which are perpetrated by botnets and other computers infected by similar malicious software. In these cases, it doesn’t matter how long we think we have.
    Another point of contestion is that if user are forced to change their passwords often, the new passwords they create will be less secure because the user will just be tired of memorizing new ones. While this issue is seen as a side affect of a password change policy, it is a side effect created by user who are not willing to adapt to/understand the technology they are using.
    And while Bruce Schneier seems to agree, the NSA and, more importantly, VITA i.e. the agency governing our university policy, do not.
    http://www.vita.virginia.gov/uploadedFiles/Library/LogicalAccessControlGuideline04_18_2007.pdf
    http://www.nsa.gov/ia/_files/support/I33-011R-2006.pdf

  8. um

    @Another Matt: Distributed computing attacks don’t have infinite resources to carry out their attacks. There are only a finite number of computers in the world, so no matter how great your botnet is, you’re only going to be able to improve the speed of your attack by a constant factor. By adding a single randomly selected alphanumeric character to your password, you’ll generally increase the time to crack the password by a factor of 36. This causes the difficulty of increasingly long passwords to increase exponentially. In short, a sufficiently long password is virtually impossible to crack directly; a better bet at that point would be side channel attacks.

    Finally, I glanced at the NSA resource you linked to; in fact, it seems that it does agree that 12 character passwords are sufficient, given that it includes the sentence: “Passwords should be 12 or more characters in length on Windows systems.”