Harden Those Soft Passwords

Issue 32, Winter 2005

by Larry Gilbert

Having passwords that are easy to ‘crack’ is one of the biggest threats to our individual and collective computer privacy. The Academic Technology Committee has responded to this problem by recommending implementation of the following policy:

“Whereas the ATC recognizes the security risk to campus computer systems posed by the widespread use of easily crackable passwords, the committee supports and recommends to the faculty senate a policy of password hardening and the implementation of that policy as soon as practical by Information Technology Services.”

What’s Password ‘Hardening?’
‘Hardening’ of passwords simply means using passwords that are more difficult for others to guess, forge, or figure out. Many of the rules for hardening are simply common sense:

• Don’t repeat your user ID as your password
• Don’t use the word ‘password’ as your password
• Don’t use parts of your name or family names
• Don’t use words easily associated with Western (e.g. Vikings, Old Main)
• Don’t use personal information such as birthdays, phone numbers, addresses

• No use of any written dictionary word in any language
• Some combination of lower case, upper case, numbers, or symbols

How Will the Policy Be Implemented?
The easy-to-use procedure will be as follows:

1. Sometime between March 1 and May 15, 2005 you will receive an email informing you that your password must be hardened. The emails will be sent to select groups of users on a weekly basis (about 1/10th of all network users at a time).
2. The message will direct you to go to Western’s web-based password change site.
3. At the website, you will enter your Western W# and PIN and then enter a new hardened password. Instructions will be provided at the site to guide you through this process.
4. When you submit your password, it will be evaluated to ensure it meets Western’s password hardening rules.
5. You will be immediately notified on the web page when your password meets the rules for hardening.
6. If you forget to go to the site and change your password, a reminder will be sent to you about one week later.

Commonly Asked Questions
I think I’ve already hardened my password. Do I have to do it again? Yes, the only way to ensure all passwords on campus are hardened is for everyone to go through the password change process when notified. You can, however, enter the same password you’re currently using to see if it meets the hardening criteria.

Isn’t it hard to create a password that doesn’t violate the rules? It can be difficult at first, but a few simple guidelines at the password change site will guide you through the process. The biggest adjustment for many is the requirement to use some combination of upper case letters, lower case letters, numbers, and symbols.

Can’t I go to the password change site and harden my password now? You can, but you will still be required to go to the site and change it when you are sent a notice between March 1 and May 1. That’s because tracking utilization of the password change site during this two month time period is the only way we can tell that you’ve hardened your password.

I’m not concerned about my personal computer’s security. Why do I need to change my password? Network security is such that a single weak link can jeopardize the security of all. Many viruses and computer ‘hacks’ search every machine on a network for even a single vulnerability. Therefore, no one is protected unless everyone is secure.

What accounts are affected by the password hardening? This process hardens passwords for all WWU Universal Accounts. That means Novell network accounts, Outlook email accounts, Blackboard accounts, and Titan accounts. An advantage is that the process automatically creates the same hardened password for all of the above accounts through one simple process.

We’ve made great strides over the last few years in protecting our network and your data from malicious attack. If we work together to protect our accounts with secure passwords, we’ll go a long way toward maintaining that high level of security.