Change is in the Air: ITS' Password Change Initiative

By Tracey Losco

Using strong passwords and changing them regularly helps safeguard your privacy and identity. As part of an ongoing effort to improve computer security at the University, you must now change the password you use with your NYU NetID (to access NYUHome and other applications) at least once every six months.

More and more of NYU's services, including student grades, registration, and staff pay stubs, are being made available through NYUHome as a convenience to you. By formally implementing this computer security practice, NYU is helping to better protect your personal information, University data, and the range of services available through NYUHome.

Changing your password before it expires will ensure uninterrupted access not only to NYUHome but also to NYU email, dial-up, NYURoam wireless, proxy, and other restricted-access services, as well as any applications you might be using that, like Oracle Workflow, require central NYU NetID authentication. The password-changing rule also affects you if you are using an email client like Eudora or Outlook to check your NYU mail. You will need to change your password at least every six months for continued access to these services.

Reminders and Help

ITS will notify you by email when your password is due to expire,and include instructions on how to change it (they're also available at the end of this article). You will receive three email messages: first, three weeks before your password's expiration date, then one week before, and finally one day before it is set to expire. At these same intervals (three weeks, one week, one day), reminders will be displayed in the "splash channel of NYUHome, at the top right corner of your main NYUHome screen.

If you change your password before the expiration date, you won't receive any further reminders until it's time to change your password again. If you change your password more frequently than the six-month interval, you will avoid these notices altogether! If you do not change your password by the deadline, however, it will expire, cutting off your access to the valued services mentioned earlier, until you set a new, strong password.

Strong Passwords, Regularly Changed: Why?

At NYU and elsewhere, attempts to break into individuals' computers or into accounts on shared computers are more common than most people realize. While hackers use many different methods, password attacks are the most common. These include the use of password-cracking programs, which run through all the words in the dictionary in an attempt to guess your password. If you are using a password that is a dictionary word, then it is likely to be cracked very quickly by this type of program.

The longer you use the same password, even if it's a strong one (difficult to hack), the more vulnerable it is. The longer you have it, and the more places you use it, the greater the chance that one of those systems will be hacked and your password cracked or exposed. In addition, someone close to you could guess it, or inadvertently have access to it. If that person later becomes untrustworthy (for example, an ex-spouse or ex-friend), their knowledge of your password becomes a risk. Regular password changes prevent a mistake from a year ago causing a compromise today. Since the number of key services that are available through NYUHome or otherwise rely on NetID/password authentication has increased, and will continue to increase, this vulnerability is now a security concern for everyone.

Ongoing improvements to the ITS Start page, where people create and change their passwords, have included stronger password requirements. So now, when you change your password, you not only pick a new one, you pick a better one. And our regular password change cycle will allow us to continue improving password selection, as attacks get more sophisticated.

ITS assistance is available to any of our clients who might desire help as this new password change cycle and password selection procedure is implemented. Password attacks are the most common vector through which data is exposed, and this procedure is necessary for the protection of accounts and data. There have certainly been compromises of individual systems and accounts that were linked to weak passwords here at NYU and elsewhere, and experts foresee an increasing number of attempts at such compromises.

NYU and ITS work hard to protect the data on NYU's campus network, and block these and other sorts of attacks. For example, ITS Technology Security Services scans all of NYU-NET looking for computers that have been compromised, in an attempt to contain any possible damage. We maintain a dialogue with departmental system administrators, working with them to secure their departments' machines and to remediate any problems. Our Network Operations Center monitors the network for any spikes in traffic that might signal potential problems or break-ins. In addition, Technology Security Services is in the process of investigating intrusion prevention systems that can detect many types of malicious network traffic and stop it before it reaches its destination.

These are just a few of the ways in which we work to protect your systems, accounts, and data. However, it is difficult to tell at a network level when passwords are used fraudulently, so we still need each of you to do your part by making your password strong, keeping it private, and changing it regularly.

What is a Strong Password?

In addition to changing your password on a regular basis, choosing a strong password is a vitally important part of good computer security. Key characteristics of a strong password include having eight or more characters, and using a combination of letters (A-Z, a-z), numbers (0-9), and special characters (!@#$%). It's also important not to re-use old passwords, use words that are found in a dictionary, or use someone's name—even if you add numbers or characters to them. Many password-cracking programs try to guess words such as these; for example, passwords such as hat123 or 123Sam would not be good choices.

Overall, it is important to choose a password that would be difficult for someone else to guess, but is easy for you to remember. As an example, you might use the first line of a song—"All I want to do is have some fun—and create the password "A1w2D1Hsf! This would be easy for you to remember but almost impossible for someone else to guess. Never use a combination of your first and last name, or the name of your spouse, parent, significant other, and so on, as these are far too easy for a hacker to guess.

Help and Additional Information

• To change your NetID password now or at any time, visit the ITS Start Page at http://start.nyu.edu, sign in with your current NetID and password, click the "Change your password link on the next page, then follow the instructions to reset your password. Keep in mind that your new password must be a minimum of eight characters, including letters, numbers, AND special characters. Also, you may not re-use a password that you formerly used.
• For answers to frequently asked questions about passwords and password changing, visit http://www.nyu.edu/its/faq/passwords/.
• If you have questions about this important initiative, please send email to its.clientservices@nyu.edu or call the ITS Client Services Center at 1-212-998-3333.

Thank you for changing your password regularly and helping to make NYU's computing environment more secure.

Author Biography

Tracey Losco is a Network Security Analyst in ITS' Technology Security Services.