The University Record, January 14, 1998

Passwords being tested for vulnerability

By Theresa Hofer
Information Technology Division

A new effort is being launched this month to eliminate vulnerable computer passwords, part of an ongoing campaign to increase the security of U-M's computer networks and data.

"Vulnerable passwords constitute an information security problem for the community as a whole," says Virginia Rezmierski, director of the Information Technology Division's (ITD) Office of Policy Development and Education. "Intruders have used stolen passwords to falsely assume the owner's identity, read the owner's mail, harass others, access files and other University resources permitted to the password owner, and even disenroll students. Therefore, ITSECUR [the Information Technology Security Education and Coordinated University Response Committee], with the unanimous approval and support of the University's Information Technology Policy Committee, has recommended that all passwords be tested for vulnerability."

During winter term, passwords are being checked on the UMICH.EDU Kerberos cell. These are the passwords that most U-M faculty, students and staff use to access their e-mail and other electronic files. The automated test, conducted by an authorized system administrator, will identify passwords that can be recognized by a dictionary checking software program. This test does not access or compromise the privacy of the users' files.

Passwords for all University employees, including faculty, staff and student employees, will be tested this week. The remaining student passwords will be tested the last week of January. Those whose passwords are identified as vulnerable will receive an e-mail message with instructions on how to change their passwords. Special software installed on the UMICH.EDU Kerberos cell will prevent users who are changing their passwords from selecting another vulnerable password.

Two to three weeks after the first notice, a second test will be run. Those whose vulnerable passwords have not yet been changed will receive a second message with a deadline for changing their passwords. Any passwords that have not been changed by the deadline will be reset. Those password owners will need to take photo ID to an authorized site and get a new password in order to access their accounts.

Rezmierski notes that in a preliminary check of passwords conducted in fall term, many department servers had no vulnerable passwords. "Congratulations to the members of those departments for their care in protecting the security of their systems, data and users," she says. She notes, however, that continued attention is required to ensure that their systems are not at risk from an intruder breaking into the network at another point using someone else's vulnerable password.

Instructions for changing your password and selecting a good password are available through the ITD Information System at http://www.itd.umich.edu/itddoc/. Search for the documents "Password Security," Reference R1192; "QuickNote: Choosing a Safe and Secure Uniqname Password," Reference R1162; or "QuickNote: Your Uniqname and Password," Reference R1136.

An e-mail group has been established to answer questions about password security and related matters. If you have questions or would like to receive printed materials describing good password practices, send an e-mail message to questionspw@umich.edu.


Frequently asked questions about passwords

How are passwords stolen?

Some hackers use tools to help them, such as dictionary programs. A dictionary program (available in English and many other languages) is used to pass every word in the dictionary to a login program in the hope that it will eventually match the correct password. Many dictionary programs are also able to catch simple transformations of words, such as words that are spelled backwards or have a number added to the beginning or the end.

Users frequently choose very predictable passwords: their names, addresses, birth dates, phone numbers or Social Security numbers; the names of their family members, friends or pets; the names of favorite artists, authors or sports figures. Therefore, many hackers simply guess a few dozen of the most common password choices; all too often, they hit a match.

But can't a determined hacker break into a system anyway?

True, with sufficient time and computing power, a determined hacker can try every combination and eventually break into a system. But most hackers are like thieves who try the front doors of houses. If the door is locked, they move on to the next door. But if the door is unlocked, they walk in and see what damage they can do.

I don't have access to sensitive information. Why should I care about password security?

If someone guesses or steals your password, he or she will have access to your files, your e-mail, your computing funds, your personal information and more. The intruder will be able to modify or delete your files, send e-mail threats in your name, or subscribe to unwanted services for which you may have to pay. A knowledgeable intruder also can use your account as a stepping stone to gain access to other accounts and systems, increasing the likelihood that they will do further damage.

How much damage can a person really do with just a stolen password? Here are a few actual incidents that have occurred at universities using stolen passwords:

  • One intruder used a stolen password to read the e-mail messages of the password owner, send "mail bombs" to flood and disable the mail services of other people, and disenroll the password owner from all her classes.
  • Another intruder used a stolen password to read his manager's e-mail and send a message with false information to all the staff under the manager's name, causing confusion and anger in the staff.
  • A third intruder used a stolen password to send an extremely racist e-mail message in the password owner's name to thousands of people on the Internet. Recipients, thinking the message was sent by the password owner, flooded his e-mail box with angry and threatening responses. The university had to manage hundreds of contacts from state and national legislators, news reporters and civil rights groups.