UTS Password/Passcode Policy

Your password/passcode is the primary mechanism for assuring the privacy of your computing activity and preventing others from using your computer account for disruptive, offensive, or illegal activities. Passwords address our primary concern: maintaining the integrity of your account while protecting the University's computer environment, as well as you, from abuse. This statement of policy is meant to clarify our reasoning and our methods for governing passwords, describe some procedures that University Technology Services has instituted to help you protect your computing account from unauthorized use, and suggest good practices.

Please note that specific numbers in the following discussion may change in the future.

Background

Having a login and passcode gives you access to a number of powerful services, including electronic mail, university-maintained programs like WebMail, personal and institutional Web sites. These services are attractive to unscrupulous persons who would like to have free access for activities such as sending large batches of unsolicited e-mail (commonly referred to as spam), illegally distributing pirated software, pornography, or lists of stolen login/password pairs, running programs to "crack" passwords, or disrupting computer and network operations both here and at other sites.

These are not events that "might possibly happen someday." At one time or another, they have all happened at the University of Denver. Dealing with security incidents like this consumes considerable staff time and can disrupt computing and network services for everyone in the University of Denver community. Preventing these events is everyone's responsibility.

Basic Security Precautions

Your password is the primary barrier that keeps your computer account from being used for unauthorized activities. Because of this, we have taken many steps to protect passwords on Agora:

  • Only encrypted versions of passwords are stored. For example, the password "zap" might be stored as "7riMWK4Grkm9w". Passwords are authenticated by encrypting them and comparing the result with the encrypted version.
  • Password encryption is irreversible: the unencrypted password cannot be obtained directly from the encrypted version. If you forget your password, there's no way other than guessing to determine what it was. For you to regain access to your account, a system administrator will have to assign a new password. Your permission as well as proof of identification is always required.
  • Encrypted passwords are "hidden" and can only be accessed by privileged computer accounts.
  • Password authentication failures are monitored. A failed login results in a delay until a retry is allowed. This protects the machine from programs that "hammer" the login sequence with a known username and a randomly generated alphanumeric password until a match is found. After consecutive authentication failures, accounts cannot be used until there have been no authentication failures for a given time period or until an administrator resets your passcode.

In spite of these precautions, people who want access to a computer can often obtain passwords in a number of different ways:

  • They can guess. Some common things people are likely to try are: your name, names of close relatives or pets, your login, Social Security Numbers, license plate numbers, and birth dates. Before stricter rules for selecting passwords became common, guessing was by far the most common way to obtain unauthorized access to computer accounts.
  • They can ask. You are only person who needs to know your password. Don't tell anyone else. University Technology Services never initiates calls to ask for passwords/passcodes. The only instance where UTS might possibly need your password is to investigate a login problem you report yourself.
  • They can spy. They can watch you type passwords in public computing labs. Someone with a password like "123456" is particularly vulnerable to the casual observer.
  • They can crack. Programs that encrypt dictionary words and other "easy-to-guess" passwords and compare them with encrypted passwords are readily available on the Internet. Someone who obtains a list of logins and encrypted passwords can use one of these programs to guess passwords.

Passcode Expiration

All passcodes are set to expire after 6 months. These unpopular but necessary restrictions partially addresses two issues. Because their owners are unlikely to notice unusual activities, infrequently used computer accounts are particularly susceptible to attack. Expiring passwords forces the account owner to periodically perform some amount of activity. Passcode expirations also help to limit the length of time an active computer account can be subjected to unauthorized use. If an active computer account is compromised, it won't remain compromised forever because its owner will have to change the password.

Passcode Restrictions

New passcodes are subject to a variety of restrictions designed to prevent accounts from being compromised or, if they are compromised, to limit the time they remain so.

  • Passcodes must be at least 8 characters long and may be no longer than 22 characters.
  • Passcodes Must contain a letter and a digit

Suggestions for Passwords

A good password is easy for its owner to remember and difficult for anyone else to guess.

  • Good passwords are combinations of letters, numbers, and special characters. However, please keep in mind that the special characters %, *, ", ', \, (, ), { and } are known to be problematic for WebMail.
  • Passwords are case-sensitive: the passwords WHATEVERHAPPENS, whateverhappens, and WhatEverHappens are different. Mixed-case passwords are more difficult to guess than passwords that are entirely uppercase or entirely lowercase.
  • One strategy for creating acceptable passwords is to join two words together, or, better, to join two separate words with a special character. For example, Denver!Broncos would be an easy password for a Broncos fan to remember.
  • You can increase the security of passwords by replacing letters with numbers or special characters. For example, Denver!Br0nc0s, D3nv3r!8roncos or Den^er!Broncos would be almost as easy to remember as Denver!Broncos, but considerably more difficult to guess.
  • Another strategy is to join together the first letters of a phrase or sentence. For example, the obscure-looking password 4sa7yaof was created by from "Four score and seven years ago, our fathers".
  • Avoid passwords like names, telephone numbers, birth dates and Social Security Numbers.

Password requirements are meant to help us provide a computing environment that is both available and secure. For our increasingly vital computer operations, these are key features.

Changing Passcodes

To change your passcode, log into webCentral, click the 'my account' icon, then the 'Passcode' tab and follow the instructions. This interface is especially desirable because your old and new passwords are encrypted before being transmitted over the Internet.