Username and password combinations are the most frequently used access control mechanism on campus. It is the primary mechanism for assuring the privacy of your information and preventing others from using your computer account for disruptive, offensive or illegal activities. The goal is to balance security with convenience.

Protecting the University's computer environment and you from abuse are the primary goals of password security. This information and the password guidelines are meant to provide information on the reasoning and methods for governing passwords. They describe some procedures that ICT has instituted to help you protect your computer account from unauthorized use and suggested good practices. This information has been authored with feedback from Security Services and Audit Services.

This information is applicable to everyone who has or is responsible for a computing account at the U of S. This includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides within the University of Saskatchewan environment or has access to the University of Saskatchewan network.

For information on creating a good password, read the password guidelines.

Background

Having a username and password can give you access to many IT services including PAWS, e-mail, Egrades, wireless network, etc. Using your account to access these services is attractive to people who would like to have unrestricted access for activities such as sending large batches of unsolicited e-mail (commonly referred to as "spam"), illegally distributing pirated software, pornography, lists of stolen login/password pairs, running programs to "crack" passwords, or disrupting computer and network operations both here and at other sites.

These events are not just possibilities; they have occurred and continue to happen at the University of Saskatchewan. Dealing with security incidents like these consumes considerable staff time, will involve a criminal investigation and can disrupt computing and network services for everyone in the U of S community. Preventing these events is everyone's responsibility.

Basic Security Precautions

• Cracking Passwords
• Password Expiration
• Locked Accounts

Keeping your password secure is your primary method to prevent your computer and/or server account from being used for unauthorized activities and for protecting your data, the network and other systems at the University from abuse. Because of this, ICT has taken many steps to protect passwords on ICT servers:

• Only encrypted versions of passwords are stored on the server. Passwords are authenticated by encrypting them and comparing the result with the encrypted version.
• Password encryption is irreversible: the unencrypted password cannot be obtained directly from the encrypted version. If you forget your password, there is no way to determine what it was. For you to regain access to your account, the ICT Help Desk will have to assign a new password. Proof of identification is always required.
• After a number of authentication failures accounts will be temporarily inaccessible.

Cracking Passwords

In spite of these precautions, people who want access to services can often obtain passwords in a number of different ways:

• They can guess. Do not use names (e.g. kids, pets, etc.) or numbers (e.g. Social Insurance Number, student number, etc.) already associated with you.
• They can ask. You are the only person who needs to know your password. Do not tell anyone else. ICT personnel never ask for passwords. There should be no reason for anyone to need your password—ever.
• They can spy. They can watch you type passwords in public computing labs. Someone with a password like "123456" is particularly vulnerable to the casual observer.
• They can crack. Programs that encrypt dictionary words and other "easy-to-guess" passwords and compare them with encrypted passwords are readily available on the Internet. Someone who obtains a list of logins and encrypted passwords can use one of these programs to guess passwords.
• They can read your password if it is written down. Do not write down passwords. If you must write them down keep them in a secure cabinet or drawer.
• They can obtain your password inadvertently. Never reveal your password in an e-mail message or store your password in a file on any computer without encryption. You should also ensure that you do not use the "Remember Password" feature of web browsers or e-mail applications especially on public computers.

If an account or password is suspected to have been compromised, report the incident to any one of these units: Security Services, Audit Services or the ICT Help Desk

Guidelines are available to help you choose a strong password.

Password Expiration

Passwords on many ICT servers are set to expire after they have gone unchanged for a period of time. Password expiration cannot be enforced for some services and it is up to you to change your password frequently. Access to accounts with expired passwords may be restricted. After a password expires, full access to the account may be regained by changing the password. If you forget to change your password before it expires, your account will be locked. Locked accounts cannot be accessed until the ICT Help Desk unlocks them.

These necessary restrictions, partially address two issues:

• Expiration of passwords forces the account holder to periodically perform some amount of routine maintenance.
• Password expirations also help to limit the length of time an active computer account can be subjected to unauthorized use. If an active computer account is compromised, it will not remain compromised forever because the account holder will have to change the password.

Locked Accounts

Many servers believe that someone is trying to maliciously break into your account after several failed login attempts. In this case, the server will automatically lock your account. Once an account has been locked it cannot be accessed, even with the correct password until it has been unlocked.

If you think you may have locked your account, you will need to come in person to the ICT Help Desk. Please bring University issued photo identification along with you.