OIT moves to strengthen password security
12/06/2004 (from ND Works)
By Gail Hinchion Mancini
So, probably you've heard something about identity theft, huh?
Office of Information Technologies staff members are counting on that as they launch a campaign to convince all of us to change our computer passwords, and with regularity.
"No one incident has provoked this," says Gary Dobbins, director of information security in the Office of Information Technology. "We just think awareness has risen about risks in general."
During the coming months, OIT will institute a program approved by the University's Officers that moves Notre Dame computer users toward password replacement at least every six months.
Passwords are established by personal choice to protect what we view as personal space. If the only danger of an intruder were entry to someone's personal calendar or text documents, there might be little urgency. "That's the biggest misconception. People think intruders gain access to only what's on their desktop. They think 'My data isn't important, so changing my password isn't important.'" Dobbins says. "We need to dispel that myth."
In reality, an intruder often wants access to individuals' accounts because they potentially provide doorways to a corporation's or institution's administrative systems. Theft of Social Security numbers stands as one of the more chilling potential crimes that can result. Using a stolen insider's identity cloaks the invader from detection, Dobbins notes.
Are Notre Dame employee accounts particularly vulnerable to invasion? Frighteningly vulnerable, according to security tests, Dobbins reports.
A recent test using popular password-cracking software found that 28 percent - more than 7,700 University passwords - could be cracked in a few seconds. All but 60 passwords of 40,000 tested proved at least moderately easy to penetrate. Moreover, the percentage of passwords that are easily discovered is increasing. (A Dobbins note: this test tool didn't break into our accounts and rummage around, it compiled an aggregate of easily cracked passwords without retaining the corresponding NetIDs.)
How can we be so unprotected? The easiest passwords to remember are the weakest. Scores of accounts are protected by "goirish," for example, while in several cases, the password just repeats the NetID. Such data convinced officers that the University should institute a strong password policy.
What's coming? OIT is working on the technology that will automatically retire each of our passwords about twice a year, and that also will simplify the process of choosing a new one that meets minimum strength standards. Once the system is in place, frequent and persistent e-mail notices will be sent to remind us a change is coming. Those away from campus during the change will be able to use their old passwords to create new ones. If we forget our new passwords, tools will be in place that will allow us to pick again. But there also will be a tool that tests what we pick and rejects weak words such as our own names, words identifiable with Notre Dame - like goirish - or words in the dictionary.
What's a strong password? Some simple guidelines have emerged:
- One that has eight characters or more
- One that mixes up capital and small letters with numbers and symbols such as punctuation marks, brackets or the pound sign
- One that's changed often (a six-month-old password is an antique)
- One that isn't like any of the previous passwords you've had
Before instituting the new policy, OIT will launch an awareness campaign that will point to resources for handling password changes. Watch for posters, and watch for notices in your snail mail.
Beginning in 2005, the University of Notre Dame through a contract with SBC Communications Inc. will begin moving campus telephone services from the current traditional switched system to a voice-over-IP (VoIP) architecture.
VoIP, explains Notre Dame Chief Technology Officer Dewitt Latimer, transmits voice calls as data packets by employing the same internetworking protocols used for sending and receiving e-mail and data files across computer networks.
The VoIP initiative calls for SBC in a five-year phased project to replace the University's Centrex-based network with its hosted IP communications service. Ultimately, VoIP will serve the telephone needs of approximately 16,000 users on the University's main campus and in remote offices.
"VoIP will give the Notre Dame community a range of communications features that standard telephone systems can't match, and will save time and money on adding and moving telephone handsets," Latimer says.
For example, the SBC VoIP system will provide "unified messaging," through which a single inbox accommodates both voice and e-mail messages on a VoIP telephone or personal computer or both.
"The VoIP system will be able to chase you down via your office, cell or home phone instead of you chasing down your messages," Latimer explains, noting it's up to each user to set call routing preferences via a special private Web page.
The system is plug-and-play, allowing University of Notre Dame faculty, students, and staff to move locations, add new phones, or change service instantly. The University will be able to scale up or down without calling new vendors or ordering new technology.
Additionally, faculty, students, and staff will be able to use IP phones to access the hosted VoIP service and all of its features from any Internet connection, in dorm rooms or faculty offices, on-location or remotely.