Is my uni too anal about passwords?

Ever since our company went to a system like that, my password has been on a post-it right on the front of my monitor (which is exactly why most security experts say password systems like that are bad).

I have to change my uni password about every 3 months. It’s very annoying. I can’t even remember what my password is at the moment. That’s going to be fun when I get back to uni in September.

My work login rules are about the same. Here’s what I do. something along the lines of I have a word in Chinese that I use for most of my passwords. Then I use a variation of this. For example, use take the word birthday. I use a variation along the lines of


Every time I have to change it, I change the 1 to a 2, then the 2 to a 3, and if you’re in school long enough, then start on the upper cases.

I decided to actually look at my company’s password document (what a novel idea), and it’s every 90 days, not twice a year. So much for my memory, and my comment that 60 days is crazy. It also needs to be 8 digits, contain a mix of alpha and non-alpha characters, and cannot be reused until after 4 iterations.

Customer data, OTOH is governed by the security requirements negotiated in the contract, not our internal standard. So your medical records are as safe as the company you deal with wants them to be!

Let’s also recognize that our OP is not a university employee with access to a host of sensitive data or data that can be altered. He is a student who has access to a limited set of resources that thousands of other students have, access to one student’s data, and very limited ability to change anything. Obviously, you don’t want access to be open, but if someone cracked his password, he’s pretty much the only person who would be harmed.

Just out of curiosity, I checked what the guidlines are at my uni.

    • Passwords must be 6 to 8 characters in length.
* Passwords should be easy for you to remember but difficult for others to guess.
* Using a combination of letters and numbers is a good choice.*

I’ve never had to change my password in two years–closest I’ve come is when they switched servers last summer. Used the exact same password. And there’s no numbers in it either. I know when I first chose it there was a suggestion to pick a sentence and use the acronym from that as your password (Which is what I did). I’m willing to bet that if you picked your username it would come back with an error.

Actually, each student has two passwords–the one above for checking e-mail and WebCT, and a 6-digit number for getting into course selection and payment options.

A couple of points. On any decently secure system, passwords are stored in an encrypted form so that if somehow you get your hands on the password file you still can’t tell what the passwords are. The arcane rules for what goes in a password (mixed case, digits as well as letters, etc.) are to make dictionary attacks against the password file computationally prohibitive.

If you can get into some poor schmuck’s account and start hacking from there, you can at least initially deflect suspicion to that poor schmuck when your fun is discovered. Since said poor schmuck probably has Internet access a hacker can do a lot more than just delete his assignments or use up his resources - he now has a starting point for launching attacks elsewhere on the Internet.

I do agree that there’s a tradeoff and that going too overboard reduces security, although I strongly believe that leaving an undisguised password on a sticky when you’re working for a company with any sort of confidential information should warrant an official reprimand.

Heh. At my workplace, I have the same rules as the OP, except the password changes every 30 days, and it must also have a symbol in it! Also my computer locks up after 2 minutes of non-use and the password must be re-entered.

In addition, to reach my computer, I must show government photo ID, have my belongings x-rayed, and pass thru 7 secure riot-resistant doors, each of which are monitored by camera and a physically present security staff member.

Same where I work. They require us to:[ul][]change every six months.[]have one at least 6 characters long.[]include symbols.[]include a mixture of letters & numbers.[]include uppercase characters as well as lowercase.[]not use the same password more than once over the course of 4 years.[/ul] The last three are relatively recent additions. I used to be able to get away with just using zip+4 codes of places where I’ve lived–not using the same one more than once over the course of two years–but now I include the state as well.

At work, I’ve rotated the same 12 passwords every 45 or 60 days (depending on the client) since 1985. I store my list on the mainframe or server so that if one expires while I am out for a while I can ask someone else in the shop to look up my next one.

Of course, I don’t actually list the passwords, themselves. Ulysses probably indicates Jam3sj0yc3 while UlyssesGk indicates 0dyss3us, (neither are real), so knowing my list tells no one my passwords, but I can hide them in plain sight where I can get help to recover them when I need to.

At work, when your password gets stale, you get a pop up asking if you want to change it now. No matter if you select yes or no, you’re forced to change it. So they ask if you want to change it, but won’t take no for an answer.

My super-duper failsafe system is a planetary name + my college ID number. Nobody else knows that ID, so I’ve got 9 fairly secure, easy to remember alternatives. THis month it might be mercury123456, the next venus123456, etc.

More than likely, your uni has had to clean up after a security mess of some kind, hence the password restrictions.

They are not unreasonable, IMNSHO; in fact, they are fairly standard, run-of-the-mill guidelines. Just pick something that is easy to remember, but wouldn’t be associated with you specifically. For example, my password a while back was 9 characters, used the special characters, capitals and digits, etc. It was the intersection of two major highways here in Houston: I10&SWFwy.

How do you think life is for those of us who administer passwords? You have perhaps a login/password for the PC, and maybe one or two other applications? I’ve got eighty-eight IDs and passwords for work. And yes, they’re all requiring three out of four complexity factors (upper case, lower case, numbers, symbols) and at least eight characters long. Two expire every 15 days, some 30 days, most are every 60 days.

I’ve lost count of the users that neep about having so many passwords. I tell them how many I have, and they all say “You win.”

That’s because too many people don’t ever do it. In my Uni, for you don’t change it after three warnings, you gotta talk with the basement IT personel. :stuck_out_tongue: ;j ;j

What the hay, did you work for the NSA? Sheeeeesh, that sounds like a nightmare!

I read somewhere (probably here) about an easy to remember random password generator. Basically, all you need to do is create a pattern on the keyboard that you will always use for your password, then change your starting point.

For example, my pattern could be two downward diagonal lines with a cap, starting with the letter j. So you would type j, then diagonally down to n, over to h, then down to b, and so on. ‘jnhbui’ becomes the password (in this case, ‘ui’ becomes the cap). This way, you can clearly post teh first letter of your rutine anywhere, but no one will know your passowrd without knowing your pattern.

Wow, sorry about the typos. I meant to hit preview and accidentally hit post. That last sentence should be: “This way, you can clearly post the first letter of your routine anywhere, but no one will know your password without knowing your pattern.”

Pay me your salary, and I’ll happily perform a few memory tricks.

You’re missing the point, that passwords (and IT security in general) is of minimal importance or concern to most people, and that it is not part of their job. Ever-more-convoluted password requirements aren’t going to spread the gospel - as has been repeatedly indicated, they are counterproductive. Every password regime should reflect the level of security needed, and nothing more. People don’t bitch just because they’re being expected to memorise an unnatural (yes, look it up) amount of random information…they object to this when the information being protected does not justify it.

I never said that passwords and security were high on end-users’ minds. Except of course, when they can’t log in.

I do agree that there should be levels of strength. The password that guards my vacation time planner does not need to be anyhwhere near as strong as the password for the system used for generating wire transfers. But, it is.

I’m tangled up in the same corporate policy as everyone else - rather than peel out 150 little exceptions for no-risk stuff like my calendar, and task a team to monitor all of these little things that they don’t someday become important things, the blanket policy is for all passwords to be complex.

From a governmental and regulatory perspective, it’s a good policy that stands up to scrutiny by the Office of the Comptroller of the Currency (aka The Feds). From an operational standpoint, it’s good in its uniformity. From a user standpoint, it sucks eggs. For the administrators, it not only sucks eggs but crams the broken shells into your tender spots.

As for information security not being part of their job - that’s an incorrect statement here. At least in terms of the rah-rah slogans - “Security - it’s in everybody’s hands” is on posters all over the place. Whether the rank-and-file actually embrace this is for someone else to determine.

Could be worse. Another slogan is “I am the I in policy.”

I worked for the engineering computer lab (labs for engineering students, faculty and staff) when I was in college. Here was our system:
[ul][li]Passwords are case sensitive[]Password must be at least 6 characters long[]3 or more repeated characters not allowed[]no dictionary words forwards or backwards[]cannot be username, real name, or university ID number[/ul] As someone who did user support, I was advised to tell users to mix upper and lower case and to try to use special characters. Our standard advice was:[ul][]pick a phrase (“I like to eat green peas”)[]substitute numbers for words (“I like 2 eat green peas”)[]pick the first letter of each word (il2egp) []mix up cases and add a character or two (iL2E_gP)[/ul][/li]Our admins had a program called “cracker” that they’d run to check to see if passwords were easily guessable. If weak ones were found, the user’s account would be locked and they’d be asked to come in and create a new password. I can think of a couple reasons why they were so hard core: there were a lot of comp sci/computer engineering types that liked to try to crack into our system, we had a lot of expensive technical applications on our system and didn’t want them to be used improperly/illegally, and we had a distributed computing system on our idle machines and they didn’t want that messed with.

Just as I’ve gotten used to and comfortable with my current email password at work (there are at least half a dozen others we have to keep track of), I get a message today informing me to change my password again. Here are the requirements:

I feel your pain.