All NetID passwords to change

Using your mother’s maiden name as your Yale NetID password won’t work anymore, unless her name is between 8 and 14 characters long and has at least two numbers in it.

Over the next two weeks — and starting today for undergraduates — anyone with a NetID, including students, faculty and staff, will be required to change their password. Part of an effort to improve the security of Yale’s network, the new policy also requires stronger passwords that must be changed once a year. But some information technology experts said the change will have little benefit, and some students and faculty were less than sympathetic to the idea.

Individual Yale accounts accessed with the NetID — ranging from e-mail to the classes server and department purchasing systems — will be disabled if users do not change their passwords by 8 a.m. on Tuesday, May 29. Passwords will now have to be 8 to 14 characters long and have at least two letters and two numbers.

The change may seem insignificant, but Information Technology Services officials said it can have a substantial impact on account security.

“Industry best practice is regular changes for passwords because that materially improves individual account security and, thereby, overall Yale IT security,” Chief Information Officer Philip Long said in an e-mail. “Most large security break-ins begin with a compromised account.”

The move was not prompted by any increase in the number of compromised accounts, Long said. ITS has recommended in the past that users change passwords frequently, but a recent security review showed that few do. The requirement was planned over spring break so that the change could be put in place before summer, Long said. Accounts that get broken into over the summer are less likely to be noticed than during the academic year, making the timing important, he said.

The change will not only improve overall account security, but will help eliminate the impact of previously compromised accounts on the Yale network, Information Security Officer Morrow Long said.

“This will lock out any interlopers/intruders and fraudsters who may have been using these accounts since the last time [passwords] were changed,” he said in an e-mail.

But the benefits of an annual password change on the average account’s security may be overrated, said David Farber, professor of computer science at Carnegie Mellon University, which does not require password changes. He said many people simply alternate between two passwords if they have to change them regularly, eliminating whatever advantage a new password would give.

“I think it’s a logistical mess, and I’m not sure it does any good,” Farber said.

Yale ITS recommends that users create a new password each time they change it, and Philip Long said he does not expect the change to be a burden on most users. The change seems to have gone smoothly so far — graduate students were notified of the new requirement yesterday without incident, Long said.

Still, ITS is preparing for the possibility that difficulties will crop up. Requests that users change passwords will be sent to different campus populations over two weeks to keep the system from flooding, and ITS’s Student Computing group is beefing up the number of people available to help.

Even if making a new password is easy, some said they would still prefer not having to change it.

“I’m someone who likes to keep my own password for everything I do,” Patrick McCarthy ’09 said. “Once a year would be tolerable, but not preferable.”

But others said any improved security will be worth a minor hassle.

“It’s just another one of those bureaucratic things, but it’s a good idea,” said forestry professor Graeme Berlyn, who said he changed his password earlier this year even though he usually does not.

Passwords can be compromised through educated guessing, users sharing passwords or hackers intercepting passwords. While central systems managed directly by ITS play a critical role in IT security, protective measures are often more effective the closer they are to the computer that could be targeted, Long said. Earlier this year, ITS added an “intrusion detection system” to help monitor suspicious traffic coming into the Yale network, he said.

Comments