Responding to the threat of hackers and other online security risks, the University's Information Technology Division will begin a program this month to notify staff and students that their passwords may be vulnerable to electronic attack.
ITD's new program will scan the University's online computer system for passwords that are vulnerable to decryption programs. The number of these passwords is alarmingly high, officials said.
"We're not just blowing smoke here," said Theresa Hofer, editor of ITD's Office of Policy Development and Education. "When we did a preliminary check, a significant percentage of the passwords were found to be vulnerable."
Passwords are considered unsafe if they include personal information or words that can be found in a dictionary.
ITD's password program will alert University faculty and employees later this week that they have unsafe passwords, and students will be warned towards the end of the month. If the warnings are ignored, the user's password will automatically be replaced with a random one.
"Those whose password shows up as being vulnerable are going to get a notice," Hofer said. "If they don't respond to that, there will be another check in two to three weeks. If they haven't changed it by the deadline, it will be reset."
Users whose passwords are reset will have to report to an ITD office with a photo ID to re-establish their account. While this may seem unfair to some, University computer experts emphasized the importance of secure passwords.
"The number one cause of hacking and other security problems is compromised passwords," said Ed Adams, director of unit data systems in the School of Business Administration
ITD officials said that stolen passwords can cause tremendous damage to both individuals and the University as a whole.
"People can use stolen passwords to do a number of things," said Virginia Rezmierski, director of the ITD Office of Policy Development and Education. "They can steal the identify of someone, and harass or threaten other people. They can get into other people's e-mail and files. A student was dis-enrolled from all of her classes. How would you feel if your name was the one used if a threat was sent to a friend?"
Rezmierski said that during the last few years, more University resources have been stored online, with access being given out to a limited number of people. When one of these user's passwords is stolen, it can result in serious problems for the University. "They are opening the door to the misuse of U of M resources," Rezmierski said.
There are several reasons a password will be considered vulnerable. First, users often choose predictable information - birthdays, addresses, nicknames, and names of pets and family members.
In addition to avoiding personal information, ITD officials recommend that passwords be five or more characters in length, have numbers and punctuation marks mixed in, and include upper- and lower-case letters.
Most important, passwords should not include words that can be found in any dictionary, in any language. Passwords that are composed of a single word are particularly susceptible to attack.
"These are so easily guessable by commonly used crack programs," Rezmierski said.
Even passwords that combine several different words are not safe from attack. "People can do a dictionary attack," Killey said. "It's relatively easy."
Furthermore, hackers looking to gain entry to University accounts don't need to be on campus to do so, Adams said. Hackers are relatively familiar with the University's online system, Kerberos, making it easy for them to crack user-IDs from the relative safety of the Internet.
For the past few years, ITD has tried to increase awareness about password security, but its efforts haven't resulted in the desired effects.
"We're trying to get people to think more about this," Rezmierski said. "People have started to pay more attention, but there are still a large number of individuals on our campus who are using passwords that are " too insecure.
ITD's program was supported by the Information Technology Policy and Security Committees.
01-14-98
| Previous Article | Next Article |
should be sent to: daily.letters@umich.edu | should be sent to: online.daily@umich.edu |