Is my uni too anal about passwords?

We have to change passwords every 60 days or we’re locked out of the system. When we do, they have to conform to the following rules:

*  Are case sensitive! (i.e. You must take care typing upper and lower case)
* Cannot consist entirely of numbers, though may include them
* Must be at least 8 characters in length
* Must have upper and lower case characters, or have at least 1 number
* Cannot have a single character repeated more than 3 times
* Cannot be an exact match of your username, forwards or backwards
* Cannot be an anagram of your username or real name

While I’m sure this is very secure what it means is that if I try memorizing my password I invariably forget it since I’ve had to change it 9 times since I’ve started my course so I have to keep it written down in my wallet or pick something as simple as possible.

My girlfriend’s uni doesn’t require the password change at all. I think that’s more secure since she can give herself a complicated password and memorise it.

Or am I wrong?

Here’s how mine works. Our password is our freaking birthdate. And I don’t know how to change it.

Every 60 days is a ridiculous rule. It takes me a good couple of weeks to get comfortable with a new one to begin with. You either have to write it down, which is inherently insecure, or pick something easy to remember, which means the complexity drops. Frankly, if they’re worried about your password being comprimised, it’s 10x more likely that someone will do it by snagging that cheat sheet than by cracking it.

I think the other rules are very sensible, it forces you to pick something complex enough that cracking it is a reasonably tough job, and prevents you from picking a dumb password like your username.

My company forces me to change twice a year, I think, using similar rules to your uni.

It’s not perfectly safe, but what I tend to do is pick a theme and a pattern and stick with it.

For instance, say your theme is famous explorers and your pattern is replace all vowels with numbers (a=4, e=3 etc, although for u you have to make something up, like u=9) and capitalize the third consonant. Then all you have to remember is the explorer of the month, so to speak.




so it fits the requirements and is probably safer than what 95% of people use.

ehh, the case sensitive is kindof a pain. Everywhere I’ve been, it’s always just lower case. I guess that’s case sensitive, but mix case is not allowed.

If you have trouble remembering them, come up with a theam. Like a TV show or Book.

hawkeye11, hotlips11, radar11.

Should give you enough options to rotate through. Then, to remember them, you could right down the first three letters and still be secure.

haw = hawkeye11, etc.

I’ve run stuff through a leet-speak generator, which seems to work for me. It usually gives me the letter/number/special-character combination I need. I keep the password in my Yahoo notebook file.


Yes, they’re overly anal. They’ve gone for supposed ultra-secure combinations, but not added the human element - if you make passwords this hard to remember, many more people will write them down. It’s like a bank deciding to use 20-digit pin number.

It depends what the password is protecting. If it’s an account with full internet acccess, I’d say it’s justified. Sixty days isn’t too bad if you’re logging in every day. Most places I’ve worked have had all those restrictions and reset every thirty days. If it locks you out at the sixty day mark rather than forcing a password change then that’s a bit annoying. I don’t have a problem with the rest of the list.

As for remembering the passwords, it’s not as hard as it sounds. enipla’s suggestions are good.

It is fairly easy to make strong passwords that are also easy to remember. Either with something like a passphrase or with something more mechanical. As for the OP’s restrictions, assuming you can use “special characters”, something like II1212 would be great. Easy to remember, hard to come up with randomly.

I think the policy is overkill for a university system. This is not a system with matters of national security and classified data, after all.

At my previous job, our network admin must’ve been some sort of paranoid conspiracy-theorist with too much time on his hands. We had to change our passwords every month. It had to be at least ten digits long, had to be composed of letters and numbers, and couldn’t be a word found in the dictionary (even if you used numbers to stand for letters, etc.) You couldn’t pick the same password ever again- once you used it, you could never use it again. If you put the wrong password in three times, your account became locked out- and, since our net admin was in a completely different state than we were, that meant that it could be more than a day or so 'til he got around to resetting your account.

So we all wrote our passwords on stickies and kept them under our keyboards. I felt REALLY secure, let me tell ya. :wally

At my high school, we had to change passwords every two weeks after a “hacking” incident (the principal called it hacking, but it was just kids going on a teacher’s computer and changing grades). I hardly ever used the school computers, so I basically had to make a new password every time I wanted to log on. Pain in the ass.

Dunno, but my university’s rules are equally convoluted:

  1. You have to change passwords every ninety days.

  2. You can’t use the same password twice in one year (before this rule came in, I used to have two standard passwords and switch back and forth between them.)

  3. Passwords must be at least eight characters long, and must include at least one letter, at least one digit, and at least one of the following “special characters”: !@#$%&*+={}?<>"’

  4. Passwords must not start with a hyphen, end with a backslash, or include a " except as the last character.

  5. Your password and your username must share fewer than six consecutive common characters.

I think this system is completely batty, for the same reasons everybody else has given. I try to choose passwords where the combo of letters, digits, and special characters actually means something recognizable, e.g., 5*hotel (well, that one won’t work because it’s only seven characters, but you get the idea).

My company is in the financial sector and is VERY password conscious. Passwords must be changed every 30 days and they have a quite restrictive content requirement. You get a warning about 10 days before your pw expires and then a countdown warning every day until you change it. I don’t work with sensitive material, but the rules is the rules and apply to everyone.

It’s not hard to comply. I use a pattern system that is easy for me to remember but would be difficult for anyone to guess at random.

My guess is that the university is simply trying to protect itself from being hacked into. If someone gained access to their registration, financial, or other database, do you think it would be trivial to fix? Would you be unconcerned if you paid your tuition with a credit card and this information were stolen by a hacker? Or if you couldn’t get a transcript when you were applying for a job because someone scrambled the records for “fun?”

I use the same core password, and increment the numbers by one every time I need to change it.

No one doubts that security is paramount–what people are questioning is if security is actually DECREASED if password requirements are so complex that people tend to write them down.

Furthermore, the more complex and dynamic your passwords are, the more often they get totally forgotten, and the more often they have to be reset. The more often they have to be reset, the more likely it the process is to be automated or placed in the hands of a less-than-proffessional person, and the more likely you are to have through that avenue.

Perhaps the key is to train people in developing a system of evolving passwords that are easy to remember?

The plan is ultimately self-defeating. If you keep forcing people to use secure passwords and change them regularly, they’ll ultimately end up writing them down somewhere to remember them. I’m betting at least half the clerical workers at your college have a Post-It with their password somewhere on their desk.

In our college, we give students a password. They may change it if they wish, or keep it for as long as they want. If they find their e-mail is breached, it’s their problem.

In the case of actual financial data, it does make sense to make changes. If it’s just your e-mail or access to the course software, the practice is stupid. There’s not that much that people can see, anyway.

I’m trying to remember what the rules were at my school… I know we didn’t have to change them, but there must have been a reason my password was **1Elfkin! ** because I’m not the type of person who’d put a number, capital letter, or exclaimation point in anything without being required to. I think this is proof it’s easy to make a password with all three things that is memorable, though - I graduated from college in 1999, and still remember the password :stuck_out_tongue:

I have at least seven passwords where I work. Possibly more. I forget, because some systems I don’t use every day.

They have to be between six to eight characters long. A combination of upper and lower case. Cannot be the same as any of your previous six passwords. Cannot be dictionary words. Cannot even look like dictionary words. Cannot be your name. Or your date of birth. Can have numbers, but not be entirely numbers. Special characters are allowed, in some systems but not all of them.

I have one password that expires every 30 days. I have a couple more that expire every 45 days and some that expire every 60-90 days. Some can’t be changed unless they’re expiring, so no matter what I do, at any one given time I have no less than five unique passwords that I have to remember. All the goddamned time.

I really have no sympathy for our customers who bitch about trying to remember only 1 randomly generated password that’s all in lower case with no special characters and no numbers at all.

No, sixty days is pretty common in the real mainframe world. It is, I think the default on the major mainframe security systems.

Most users come up with a personal pattern, that is meaningful to them but likely not to others, and vary their passwords based on that pattern. Taking advantage of the fact that patterns are much more obvious to humans than computers. Like Abc-1234, Abc-2345, etc.

Sometimes they start with the first phone number they had, something like Be5-2140. (Yes, many mainframers are old enough to remember when their home phone number looked like that.)

And remembering it is just considered part of your job. If you can’t handle that, you will have bigger problems trying to do your job in this field.

And twice a year? I would hesitate to trust anything important, like my medical records, or financial info, etc. to your company!

I tend to do the same thing. And it seems best. (Though I ain’t tellin’ ya the formula.)

Say you have a numerical password. If it’s 5 digits (my formula is a little more detailed) you’d increase, each day, the first number by one, the third by three, and the 5th by five on a 0-9 scale. And on whatever day you set once a week, you subtract the number value of the day from those 3 and start over. Going a step further, you could also adust for numbers based on position.

Confused? I hope so. If you don’t understand it when I explain it, it’s a good bet the system is safe from figuring out the new formula I came up with that day. :slight_smile: