What's
all the fuss about passwords?
Not really so much 'fuss' as it is protection for you....yes, you! Previously,
we used to have different User ID's and passwords for nearly every system
you needed to log into. This meant that a typical student might need to
remember as many as five different ID's and passwords. A typical faculty
member may need to remember even more. Of course, this is in addition
to your personal ID's, PIN's and passwords that float around in your brain.
We worked hard to implement a single sign on feature
for most of the systems you need to access. The single sign on feature
allows you to log on one time, with one ID and password, then be able
to get to all of the resources you need without signing on again. You
need only remember one ID and password set.
Simple, right? Well, that solves one problem, but creates another. The
problem created is, now that you need only one ID and password to get
into all your resources (email, calendar, schedules, grades, personal
information), a person knowing your password has access to all of them
as well. For example, someone knowing your ID and password can access
all of the private information, about you, that you have access to. If
they can get into your email mailbox, they can read your mail or even
worse, send one. What if someone sent a malicious or threatening email
from your account? Guess who the authorities would look for!
Another complication is FERPA. The Family Educational Rights and Privacy
Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law
that protects the privacy of student education records. The law applies
to all schools that receive funds under an applicable program of the U.S.
Department of Education. We must demonstrate that we have taken reasonable
measures to ensure compliance with FERPA provisions. Single sign on could
compromise that if we did not also provide reasonable complexity to our
password system.
What is the RVCC policy?
The RVCC policy is to require password changes every 120 days. This means
that a typical student will likely change their password twice in a semester.
According to experts, that's really not too often, given the sophistication
of today's password cracking tools. You will receive a notification when
the date is within seven days of a required change. If you get a warning
notice sooner than that, please contact the Help
Desk. You can choose to change your password upon notification or wait
until the last day. On the last day, you will be required to change it
or the system will not allow you to complete the log in. It is also a
requirement that you not share your password with anyone for any reason.
If you are asked for your password or to share it, "Just say NO!"
MIS staff will never request your password. MIS staff do not have access
to your password, nor can they see it. If you forget your password, the
MIS Help Desk can reset it for you. On your first log in after it is reset,
you will be required by the system to change it to one of your choosing.
Why do we require eight-character passwords?
Using a very fast computer, passwords six characters or less can be matched
in less than two days. Seven-character passwords can be matched in four
months. By the time an eight-character password could be cracked, you
should have changed the password to a new eight-letter string, thereby
protecting your account.
Why must it be so complex?
In addition to the eight characters, we require a specific level of complexity.
This tends to thwart those who try to guess our passwords. A typical user
will make the password something familiar so they can remember it. They
use a family members name, a pet's name, a birth date or the make/model
of their car, for example. Someone wanting to break your password needs
only know a little about you to get a wide range of possibilities. The
complexity we use tends to prevent these types of passwords from being
used or adds complexity to them so, even if someone knows you very well,
they would not guess the password easily. The complexities we use are
as follows:
- The password
cannot be one you have used within the past three password changes.
This prevents you from recycling your password too soon, thereby compromising
your security.
- You must
wait three days before you can change your password again once it has
been changed.
- The password
must be at least 8 characters, but not more than 14. Obviously, if it
would take four months to match a 7 character password, it would take
years to break one with 14 characters.
- The password
must have at least an upper case character (ABC...XYZ), a lower case
letter (abc...xyz), and a numeric digit (0123456789). You can optionally
add a symbol (!@$%^*()-_+={}[]<>).
- By adding
these, you can even make your dog's name difficult to guess. For example,
R0v3Ris#1 (Rover is No. 1). This example substitutes a zero for the
letter 'O' and a '3' for the letter 'E'. It uses upper case for the
beginning and ending of the name, adds the # symbol and the number '1'.
The embedded word 'is' makes it more of a phrase to make it easier for
you to remember.
We sincerely hope this information was useful to
you and has given you some insight as to why we have set up the password
mechanisms that are now in place. You may want to carry some of these ideas
into your home computing as well. Many people are now using their home computers
to manage their finances, personal businesses, and other confidential information.
The hackers are out there spending 24 hours a day trying to get access to
that information so they can steal it and use it for financial gain or other
reasons. Don't make it easy for them to do so.
Some helpful links
To give you some tips on creating memorable passwords, try this link:
http://www.raritanval.edu/MIS/FAQ/RVCC_Password_Tips_FAQ.htm
You can also go to the Google website at www.google.com
and type in 'password complexity'. You will find a wide variety of tips
for creating passwords. As always, if you need assistance or have questions
regarding passwords or changing passwords, please contact the MIS Help Desk.
|