[ISN] Password rule change tightens account security

InfoSec News isn at c4i.org
Tue Sep 27 02:10:00 EDT 2005


By Nathaniel Shuda
September 26, 2005 

With technology constantly evolving, regulating access to 
computer-related systems and services with passwords has become 

But if a person use a simple password, it could be very easy for 
someone to hack into his or her system, especially with the use of 
special programming software designed to seek out patterns in 
passwords, said Chip Eckardt of Learning and Technology Services. 

It is for this reason that LTS, along with the university, will 
require students and faculty to change their passwords to fit criteria 
that will make their accounts less susceptible to intrusion. The 
switch will begin Nov. 1.

More hackers are surfacing all the time, and accounts already have 
been compromised in several cases because of easy access to computer 
accounts, Eckardt said.

"We've even had Mac boxes get hacked," he said. "That's been real 
unusual because ... when you have something like Windows, (which) 
everybody goes after, it's a common target. But we're even seeing 
attacks in areas where we've never saw them before."

The LTS office plans to send three reminder messages via e-mail to 
warn users of the change: one informing all university computer users 
of the change, as well as reminders 10 and three days before current 
passwords expire.

Users who recently have changed their passwords will not have to 
perform the switch until their new passwords expire in a year, Eckardt 

Those who do not change their password by the time it expires will be 
prompted the next time they log in and won't be allowed to connect to 
the system without first changing their password.

If users forget their passwords, Eckardt said, they can visit a Web 
site LTS will create to reset them.

The new requirements, however, have some students worried about 
accessing the university's computer system.

"I think it's a good idea, if you could remember your password," 
freshman Meghan Hamre said. "There's no way I could remember that kind 
of (password), especially eight (characters) long."

Eckardt recommended using a password that has a personal meaning, but 
not something hackers could easily guess.

He said Eau Claire's change precedes a possible UW System-wide 
password policy.

"I know the UW System is looking at passing a statewide policy on 
this, and ours will comply with theirs, but their policy's probably 
not going to hit for another year," he said. "We're trying to be 


Valid passwords will have to meet these minimum requirements:

* Must be at least eight characters in length
* Must contain characters from three of the following four categories: 
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, $, # or %)
* Cannot contain significant portions of the user's account name or 
  full name

More information about the ISN mailing list