The University Record, January 14, 1998
By Theresa Hofer
Information Technology Division
A new effort is being launched this month to eliminate vulnerable computer passwords, part of an ongoing campaign to increase the security of U-M's computer networks and data.
"Vulnerable passwords constitute an information security problem for the community as a whole," says Virginia Rezmierski, director of the Information Technology Division's (ITD) Office of Policy Development and Education. "Intruders have used stolen passwords to falsely assume the owner's identity, read the owner's mail, harass others, access files and other University resources permitted to the password owner, and even disenroll students. Therefore, ITSECUR [the Information Technology Security Education and Coordinated University Response Committee], with the unanimous approval and support of the University's Information Technology Policy Committee, has recommended that all passwords be tested for vulnerability."
During winter term, passwords are being checked on the UMICH.EDU Kerberos cell. These are the passwords that most U-M faculty, students and staff use to access their e-mail and other electronic files. The automated test, conducted by an authorized system administrator, will identify passwords that can be recognized by a dictionary checking software program. This test does not access or compromise the privacy of the users' files.
Passwords for all University employees, including faculty, staff and student employees, will be tested this week. The remaining student passwords will be tested the last week of January. Those whose passwords are identified as vulnerable will receive an e-mail message with instructions on how to change their passwords. Special software installed on the UMICH.EDU Kerberos cell will prevent users who are changing their passwords from selecting another vulnerable password.
Two to three weeks after the first notice, a second test will be run. Those whose vulnerable passwords have not yet been changed will receive a second message with a deadline for changing their passwords. Any passwords that have not been changed by the deadline will be reset. Those password owners will need to take photo ID to an authorized site and get a new password in order to access their accounts.
Rezmierski notes that in a preliminary check of passwords conducted in fall term, many department servers had no vulnerable passwords. "Congratulations to the members of those departments for their care in protecting the security of their systems, data and users," she says. She notes, however, that continued attention is required to ensure that their systems are not at risk from an intruder breaking into the network at another point using someone else's vulnerable password.
Instructions for changing your password and selecting a good password are available through the ITD Information System at http://www.itd.umich.edu/itddoc/. Search for the documents "Password Security," Reference R1192; "QuickNote: Choosing a Safe and Secure Uniqname Password," Reference R1162; or "QuickNote: Your Uniqname and Password," Reference R1136.
An e-mail group has been established to answer questions about password security and related matters. If you have questions or would like to receive printed materials describing good password practices, send an e-mail message to firstname.lastname@example.org.
How are passwords stolen?
Some hackers use tools to help them, such as dictionary programs. A dictionary program (available in English and many other languages) is used to pass every word in the dictionary to a login program in the hope that it will eventually match the correct password. Many dictionary programs are also able to catch simple transformations of words, such as words that are spelled backwards or have a number added to the beginning or the end.
Users frequently choose very predictable passwords: their names, addresses, birth dates, phone numbers or Social Security numbers; the names of their family members, friends or pets; the names of favorite artists, authors or sports figures. Therefore, many hackers simply guess a few dozen of the most common password choices; all too often, they hit a match.
But can't a determined hacker break into a system anyway?
True, with sufficient time and computing power, a determined hacker can try every combination and eventually break into a system. But most hackers are like thieves who try the front doors of houses. If the door is locked, they move on to the next door. But if the door is unlocked, they walk in and see what damage they can do.
I don't have access to sensitive information. Why should I care about password security?
If someone guesses or steals your password, he or she will have access to your files, your e-mail, your computing funds, your personal information and more. The intruder will be able to modify or delete your files, send e-mail threats in your name, or subscribe to unwanted services for which you may have to pay. A knowledgeable intruder also can use your account as a stepping stone to gain access to other accounts and systems, increasing the likelihood that they will do further damage.
How much damage can a person really do with just a stolen password? Here are a few actual incidents that have occurred at universities using stolen passwords: