Passwords and Digital Credentials
Introduction
It requires little in the way of persuasion to convince, well, anyone, that passwords are unpleasant: they’re difficult to type, harder to remember, and, sadly, they offer only diminishing security for our personal and private information. Yet for the time being passwords remain our primary means of verifying the identity of individuals before granting access to services or data. This document details some upcoming changes to how APIIT Education Group maintains digital credentials and discusses some planned future enhancements.
It is worth briefly discussing what passwords do. Passwords don’t intrinsically provide any security; rather, a password is a secret that (in theory) is known only to an individual. By providing the password when prompted, you as an individual are identified; that is, the combination of the username and password tells the system who you are—and because the password is a secret known only to you, it verifies that you are who you say you are.
Creating Strong Passwords
A strong password has usually meant one that is difficult to guess. Yet with the advent of powerful computing, it has become possible to make repeated guesses at a password, thousands if not millions of times per minute.1 The effect of this is that an ordinary 8-character password, by itself, offers limited protection against hacking. The standard approach to addressing this is to require passwords of greater and greater complexity and length—thus leading to more forgotten or mistyped passwords, an increased burden on helpdesks, and user frustration and anger.
Why Bother?
First, passwords do get stolen, and they get stolen in a number of different ways. Additionally, we regularly see brute force2 attempts to log into an account using commonly used passwords. By requiring the use of strong passwords, we are attempting to slow the ability to use the stolen password long enough for us to detect its use, detect its theft, or lower our attractiveness as a target.3
Achieving this does not require absurdly complex passwords, but it does require the use of longer passwords or passphrases. For example, using a well-known method for evaluating passwords,4 we see that the apparently very strong password &xy90UJ! would take ~7 years to crack; whereas the much easier to remember passphrase rain Spain falls plain would take centuries to crack. Here are a few more samples in this table:
Since it is obvious that long, comprehensible, and memorable sentences make for much stronger credentials than traditional passwords, it is compelling to ask, “why are we still using traditional passwords?” The answer is historical more than technical. Because of the long use of passwords, many applications assume that the password “ends” when it encounters the first space character. Thus “Rosebud Was The Sled” will be seen as merely “Rosebud,” a word found in dictionaries and instantly crackable.
It’s also reasonable to ask why, if a password can resist being cracked for a century, it would ever need to be changed. First, note that those estimates for crack time make a number of assumptions about how the password is stored. If you use the same password at APIIT Education Group that you use for a poorly secured website or game site, the thief may be able to simply read your password—no cracking necessary. Thus it becomes a balancing act—we require you to change your password periodically based on a reasonable estimate of how long it might take to crack it. While it would be possible to calculate a unique password expiration period for everyone, supporting this (and explaining it) can get complicated. Therefore, our policy will be to require annual password changes for shorter passwords, and biennial changes (every two years) for longer passwords and passphrases.
Second, despite being a violation of policy and best practice, we know from experience that people do occasionally share a password. By periodically requiring the password to change, we effectively reset that decision.
Ultimately, passwords are like stoves, to quote Mark Twain:
We do not remember the exact date of the invention of stoves, but it was some years ago. Since then mankind have been tormented once a year, by the difficulties that beset the task of putting them up, and getting the pipes fixed.5
Going Forward: Password and Passphrase Creation and Maintenance
In summary, LTS is modifying the rules for creating and changing passwords and passphrases. These changes are designed to encourage longer and easier-to-remember passphrases. This represents a significant increase to the protection of campus accounts, systems, and services.
Passphrases are over 14 characters in length and may be formed using only upper- and lowercase characters (a minimum of one of each). These will expire after a period of two years. For technical reasons, no passphrase may be over 30 characters in length. We recommend using a minimum of four unrelated words separated by spaces.
Passwords must be between 10 and 14 characters. Passwords 14 characters or fewer in length will require the usual assortment of at least one character from each character set: digits (0-9), non-alphabetic symbols (!@#$%); uppercase letters (A-Z), and lowercase letters (a-z). Dictionary words and commonly used passwords are also not permitted to be part of the password.
In no case may the user’s username or last password be part of either a password or a passphrase.
The following table summarizes the above rule set.
Changing your password
One of the largest problems facing institutions that require a periodic password change is assisting individuals who have forgotten their passwords. After all, in order to change your password you need to log in. In order to minimize this burden (to both the community and the LTS Help Desk), we have recently introduced a new method for self-service password reset for individuals who do not know their passwords.
If you fail to change your password and your account is locked, you may unlock your account two ways:
Use the self-service password reset tool at https://cas.apiit.edu.my/cas/
Visit the Helpdesk (in person) located at Room 10, 6th Floor, Spine, APU Campus or Helpdesk @ Level 3, APIIT Campus (identification card required)
Copyright © Asia Pacific University. All Rights Reserved.