New Year’s Resolution…. Make Your Passwords Secure!With thanks to Ann Snowman, Mark Webster and Tim Arnold, who provided content for this Tip.
We have more and more computer accounts that require a password. To perform our work, we need both a Penn State Access Account and a Libraries Domain Account. Outside of work, we routinely have passworded accounts as well, for activities such as internet banking, amazon.com and other retailers, hotmail, and more.
For a long time, easy-to-remember passwords were the rule of thumb. However, as the skills of password hackers and crackers have increased, so too has our need to render our computer work and play environments safe. As we approach the end of 2007, it’s an opportune time to discuss this important topic. This Tip organizes some key information that will help you review and revise your password practices to keep you safe and keep those password hackers at bay.
We’ll start with a review of your two types of work accounts, using information from an excellent email on the topic sent on November 30/07 by Mark Webster, of DLT. Next, we’ll include password information that will let you hit the ground running on your new year’s resolution to Get Secure.
Penn State Access Account and Libraries Domain Account
Your Penn State Access Account is your official digital identity at Penn State. It lets you use the full range of Internet services on or off campus such as Eudora e-mail, WebMail, Employee Self-Service Information Center (ESSIC), ANGEL and authenticated library databases.
Your Libraries Domain Account, available only to Libraries workers, lets you access your workstation’s local hard drive as well as the Libraries’ network, commonly referred to as the K: U: and V: drives. This account requires your User ID (example: abc123), password, and Library Domain name, which is always PSUL.
Your Penn State Access Account and Library Domain Account use the same User ID. However, your password may differ for these two accounts.
Password Primer
Penn State Access Account: You must change your Access Account password annually. To check your password expiration date, go to: http://its.psu.edu/password/. You can also change your password there.
| PSU Access Account Password Policy | |||||||||||
| PSU Requirements: | http://its.psu.edu/password/policy.html#guideline | ||||||||||
| Minimum length: | 8 Characters | ||||||||||
| Complexity: |
| ||||||||||
| Password history: | 3 passwords remembered | ||||||||||
| Maximum password age: | 365 Days | ||||||||||
| Account lockout threshold: | 40 invalid attempts | ||||||||||
| Account lockout duration: | 5 minutes | ||||||||||
| Forgotten Password: | Contact ITS Help Desk | ||||||||||
| FAQ: | http://its.psu.edu/password/faq.html | ||||||||||
Libraries Domain Account: You must also change your Libraries Domain Account password annually. The system will prompt you when your password is due to expire; however, we recommend that you modify your password immediately if it does not adhere to the Libraries domain password policies below. Current Libraries password policy, which requires only a 5-character password with little complexity, has been change to a more secure policy:
| New Libraries Domain Password Policy: | |||||
| Minimum length: | 8 Characters | ||||
| Complexity: |
| ||||
| Password history: | 10 passwords remembered | ||||
| Maximum password age: | 365 Days | ||||
| Account lockout threshold: | 5 invalid attempts | ||||
| Account lockout duration: | 1 hour | ||||
| Forgotten Password: | Submit a Libraries HelpDesk Ticket | ||||
| FAQ: | http://techtipspennstate.blogspot.com/search/label/passwords | ||||
How to Change your Libraries Domain Account Password:
1. Log onto a library staff computer
2. Use these keys: Ctrl + Alt + Delete
3. Select the Change Password button and follow the prompts to complete the process.
Note: If you use auto backup on your computer, you must also make the auto backup password match your new Libraries Domain Account password.
How to Change your Auto Backup Password:
Note: These steps should be followed only for Auto Backups on computers identified with one primary user.
1. In the lower left corner of your workstation, click Start à All Programs àAccessories àSystem Tools à Scheduled Tasks
2. If backup IS listed:
· Double-click on backup
· Press “Set password’
· Enter your new Password, confirm it and press 'OK'
3. If backup IS NOT listed: backup hasn’t been scheduled for this machine. If you are an Administrator, submit a Helpdesk request for assistance.
Note: Please remember to verify that your next backup was successful.
Why are the two password policies different? Can’t I use the same password for both?
Consider this – a hacker has learned your Libraries domain user id and password. If your Access account ID password was identical, he would be able to access your e-mail, ESSIC, Angel, etc. and pose as YOU.
For your protection, have a unique password for each!
Password Cracking 101:
Password hacking has a long list of devotees, who have time on their hands to develop cracking tools with exciting names like John the Ripper, Aircrack, Brutus, wwwhack, coWPatty dictionary attack, and chopchop. Sadly, the bottom line is that if you do not make time to take secure care of your passwords, not to worry, the bad guys will “take care of them for you.”
The table below shows how password length and complexity work for you to thwart the hacker:
| Password Length | Combo: Uppercase, Lowercase, and Special Characters | Lowercase Only |
| 3 characters | 0.86 seconds | .02 seconds |
| 4 characters | 1.36 minutes | .046 seconds |
| 5 characters | 2.15 hours | 11.9 seconds |
| 6 characters | 8.51 days | 5.15 minutes |
| 7 characters | 2.21 years | 2.23 hours |
| 8 characters | 2.10 centuries | 2.42 days |
Be sure to make your new year’s resolution to reclaim your right to secure passwords … on your Penn State Access Account, your Libraries Domain Account, and your at-home accounts.
Additional Password Links of Interest:
Password Checker: http://www.microsoft.com/protect/yourself/password/create.mspx
Strong Passwords: http://www.microsoft.com/protect/yourself/password/create.mspx
Password Management: http://www.microsoft.com/technet/security/guidance/identitymanagement/idmanage/p2pass_3.mspx?mfr=true
Our blog: http://techtipspennstate.blogspot.com/
Our global email: TECH-TIPS@psulias.psu.edu
Posts
No comments:
Post a Comment