Passwords are your keys to computersA password and username work together as a "key" to a computer system providing specific access for a given user. Access to confidential information, whether coursework, administrative data, or e-mail, is protected by the password/username pair. Thus, it is one of the most critical elements of system and data security. All of the efforts of system administration staff are useless if passwords aren't protected properly. A large number of security problems at Drew stem from improper protection of passwords and computer accounts. How to select a good password, and keep it secure, will be discussed here. |  |
1) Don't give your password to anyone.
Passwords are initially created as random numbers for most Drew systems. The password must be changed immediately on the first access. After that, you and only you should know that password.
- Don't write your password down, especially in a place that someone might look for it (inside a desk drawer, under a phone or keyboard, next to the monitor, on a desk leaf, in a wallet, etc.) Commit your password to memory as soon as possible. If you must write a password down, keep it in a sealed envelope in a secure location, and change it when the envelope is opened. Never send a password in email.
- Don't share your account password with anyone, regardless of how well you think you know them. A user account is a privilege granted to a specific person, and sharing that account is a violation of University policy. Even if they're your best friend, your one true love, they are not entitled to use your account. Besides, sometimes even the best relationships turn sour, and then you don't want your new enemy to be able to send email out in your name.
- Never divulge your password to people who purport to be system management or technical personnel. Real system managers don't need your password--the system grants them access from their own account, and will track access as them for all critical activities. If your password doesn't work for some reason, they do not need the old password to change it. There is no reason that Drew technical staff need to ask you for your password. EVER. If CNS Helpdesk employees or network support staff need to log in to your account, they will do it in your presence and ask you to type in your password when it is needed. You should never leave a person using your logged-in account unattended.
- Students will be held responsible for all emails that are sent via their email accounts. The following story illustrates why:
- "My Sophomore year of college, a freshman who had been kicked out of school accessed another student's email account. He used the account to send numerous threatening emails to professors and to Drew Students. The student whose email account was hijacked was taken to meet with the Dean of Students and nearly got kicked out. He was finally able to prove that he wasn't the one who sent out the emails, but he could have been expelled because he gave his password to a friend" - Senior, Class '09
- Do not give your password to anyone.
2) Make your password easy to remember, but hard to guess or determine by "brute force."
Avoid using common or simple words, such as "password". Common system attacks involve going through standard dictionary words as passwords. You should also avoid passwords having anything to do with you, like your name, birthday, address, Social Security number, pet's or partner's name, shoe size, basically anything about you that is potentially public knowledge. Avoid these in both forward and reverse order. Avoid sample passwords you've seen in any book or movie. Avoid passwords that are all letters, or only all numbers--such passwords are much easier to have a program guess by trying all possible combinations of such things.
So, what are you left with? The kinds of things that make good passwords are things that have no obvious pattern or no contiguous words. Breaking up words with numeric digits or punctuation is very helpful. Abbreviations of long phrases can also be useful. It is important to select something that can be remembered mnenonically, yet when typed seems to be complete gibberish.
Some people find it helpful to create what's called a "pass phrase". Use these steps to make a pass phrase:
Take a short phrase or sentence ("I like my dog")
Take out the spaces ("Ilikemydog")
Replace some of the letters with numbers or special characters ("Ilik3myd0g")
Chances are you'll remember this pass phrase fairly easily, but it would be difficult for anyone else to guess. (And no, please don't use this example as your own pass phrase!)
At Drew University, your password will need to be at least 8 characters long.
3) Change your password often.
So, you do 1) and 2) above, so why should you need to change your password. It's secure, right?
Not exactly. Despite everyone's best efforts, passwords can still be gotten:
- If you dial in on a phone line or log in over the Internet, the password data passes through numerous public networks. There have been reports of people compromising network machines and stealing username/password combinations to systems by monitoring signals on communication lines, and thus gaining access. Even if passwords are encrypted, clever criminals can sometimes replay the encrypted sequence.
- If you type a password with other people in the room, they may be able to watch your keystrokes. It's the same as people at pay phones using calling cards and unscrupulous people stealing the card number by watching people key it in. (It's proper etiquette to look away from the keyboard or screen while someone is typing in their password.) If you suspect someone has seen you type in your password, change it immediately.
- It's possible that systems or software you use (mail packages, Web pages, etc.) will store your password in an unencrypted format, or in a format known not to be secure. If this is true, and the system is compromised, those passwords will be made available to the infiltrator.
At Drew University, your password will need to be changed every 180 days.
To change your password
You may change your password from the Web by going to http://password.drew.edu.
Drew now uses the same account name and password for logging into the network, email, and all other network services except for AIMS.
You do not have to wait before your password expires to change it. We suggest you change your password any time it may have been compromised--such as when it has been written down, or given to another person, or if for any reason you think someone else might know your password.
Network passwords expire every 180 days.
A week before your password expires, you will receive email notifying you that your password is about to expire. We strongly recommend you change your password as soon as possible after you receive the email, because if your password expires you begin using grace logins, (these can be used without warning when you enter Netscape or use other Web services on campus). If you use all of your grace logins before you change your password, you will not be able to log in to the network and will have to get assistance from the Help Desk.
Students, faculty and staff who cannot get in to their account can go to the Help Desk in the basement of Brothers College with a Drew ID and have their password reset.
NOTE: New passwords must be unique to the user. The same exact combination of letters and numbers in the same sequence cannot be used again as the network password.
4) Use different passwords for unrelated systems.
If someone gains access to a computer system, and gets your password, it is then available for their use. If all of your passwords for various accounts - like your bank account, Facebook, and Drew uLogin - use the same password, then they've gained access to all of your computer accounts. While it is easier to remember just one password, it's far more dangerous. Your passwords don't have to be completely different, they can be related, but they shouldn't be identical (or simple permutations like password1, password2, etc.) Having the same password on multiple computer systems means that all of your computer accounts are as secure as the least secure of the systems on which you have accounts. While Drew's servers store passwords in a very secure format that cannot practically be decoded, other sites may simply store passwords in plain text. This means that not only is the password compromised if the remote system is broken in to, but that the administrators of that system can see all the passwords. This especially is an issue with passwords you use for Web access to services--these should be completely different than Drew passwords, or passwords to any data you trust. Use harder-to-guess passwords for your more critical accounts.
You now have the same password for the LAN, email, roaming access, the proxy server, and Session Manager enabled websites. Although this may seem to be a contradiction of the above rule, the difference is that all of these systems will be managed under a common security policy, and passwords will be stored in one database on the network. This model is secure when managed properly and administered by a central organization.
5) Is this all really necessary?
You might say, "Well, I don't really have anything important on the network, so why should I care about my password?" Even though you don't have sensitive data in your own account, the fact that you have an account on the Drew network means that you are given rights to other files that are confidential to Drew, such as course materials or administrative information. If you're faculty or staff you have shared network space that is writable by you, and that data is very important to others in your department. If your account is compromised, it may be used as a stepping stone to accessing other Drew files or systems, or possibly as a way to attack other systems on the Internet. While these suggestions may seem like paranoia, they are critical in the interconnected, shared Internet to keep not only you but the University safe from unauthorized access.
