Silas Vieira
June 6, 2019
Passwords have been a thing of nightmares ever since they were invented. We have all been through it – you have to create a new login somewhere, you think of a neat username, you create a super complex password and then you walk away. A week goes by and you try to login again, only to realize that you forgot your super complex password, not to mention the pesky username. Even if you are lucky enough to remember the password for more than week, you will be prompted to change it again in six months.
A more intricate password (longer and more complex) simply means that it is harder to guess, whether that be by a person or by a password-cracking machine. As we all know, however, complex and long passwords are significantly harder to remember. To simplify the process, the idea of “passphrases” quickly caught on.
Passphrases are simple and easy to remember. Instead of constructing a random password with jumbled characters, the idea is to pick a phrase that you can remember and that is unique to you. After you have your phrase picked out, you turn it into a password by using the initials (if it’s at least 12 characters long). For example, “I was born in Kansas City in 1980 into the Smith family” turns into IwbiKCi1980itSf. Throw in some symbols for additional length and complexity, and you’ve really got something special: $@IwBiKCi1980itSf@$. Keep in mind that the longer the password is, the better it is.
If you have ever had an email account stolen, had your social media taken over or had a neighbor break into your Wi-Fi, you already know the exact answer to this question. Having a complex password is great for preventing someone from discovering it in the first place, but it will not do much if it is already compromised. Password change policies are important to prevent unauthorized use of your password without your knowledge.
It is usually of no interest to a hacker to change your password once they have attained it, as this would alert you and presumably the authorities. This means that if your password has been compromised at any point, you likely will not notice since the hackers are trying to stay under the radar. By forcing a periodic password change, we can immediately invalidate any passwords that attackers may have – effectively ending any ongoing attacks or preventing them from happening in the first place.
Now, you may be saying to yourself, “I do not do anything that would get my password compromised, so this does not apply to me.” Unfortunately, it does. Hackers and social engineers now have extensive capabilities, allowing plenty of avenues for them to take your password – even if you are very careful.
Yes, the password cycle will end eventually. Companies like Microsoft and Cisco are paving the way to a password-free world through research of password-replacing technology.
Until then, the Information Security Office is leading UTD’s charge in password policy management. We have recently decreased the frequency of password resets from 180 to 365 days due to research indicating minimal benefit gains with a period shorter than 365 days. We have also implemented NetIDplus two-factor authentication powered by Duo, which provides an additional layer of security by prompting you every time someone is trying to use your login with your credentials.
In summary, we agree that passwords are a pain, but we also know they are essential for minimizing risk on campus. Until passwords are gone for good, any policies we enact are simply to help keep you and UTD safe.
If you are interested in becoming an advocate for a password-free UTD campus, or need more information about passwords, please contact the Information Security Office at infosecurity@utdallas.edu.