|
|
 |
| CONTENTS A-Z | SEARCH | CHANGE YOUR PASSWORD | ANNOUNCEMENTS | STATUS MESSAGES |
|
How long after I have changed my password does my new one become valid?
Why
are you making me change my password - my current one works just fine
Absolutely not. In doing so you would be in breach of the Computing Service Rules and Regulations. For your own benefit also, you should not divulge your password to anyone else. If others use your account in an inappropriate manner, you are likely to be held responsible for their actions.
If you haven't changed your password for three months (or you are a new user) you will receive four email warnings spaced at weekly intervals. One week after the fourth warning, if you still have not changed your password, your account will be disabled. You will not lose any data if this happens, but you will be unable to log in again until you contact the Computing Service Help Desk asking for your account to be re-enabled. When you have had your account re-enabled, you will be required to change your password within a few days. Failure to do so will result in your account being disabled again.
New users should change their passwords immediately. Thereafter, all users must change their passwords at least once every four months. It is up to you if you wish to change your password more frequently than this. Note that you should not attempt to change your password more than once within any two hour period. It is unlikely to work!
If you forget your password, you should report to the Computing Service Help Desk. We will not be able to tell you what your existing password is but we will be able to assign you a new one.
Please note: We are not able to assign new passwords unless you visit the Help Desk in person. You will also need to provide some proof of identity.
Once you have changed your password, you should not expect your new password to take effect on all machines immediately. On Computing Service lab DECstations and on the NT workstations, the password change will take effect (almost) immediately. On all other machines, the new password will not take effect until shortly after half past the following hour. If you change your password at, say, 9:45, your new password won't take effect on many machines until just after 10:30. It is therefore not advisable to try out your new password immediately after changing it.
You should also be aware that having changed your password, you will not be able to change it again until it is working on all systems, i.e. shortly after the following half hour. Any attempt to do so will result in a password change failed error message.
Having changed your password, you will probably find that other network based resources (e.g. email) may be disrupted for sometime. This is usual. It is probably better to change your password last thing in the evening before you go home. This will allow all the systems to synchronise overnight. Everything (or nothing!) should work the following morning.
All passwords must be between six and eight characters in length, we recommend that you use eight characters. A password must be made up of printable characters. A mixture of lower case letters, upper case letters, numerals and punctuation characters is best. The system will reject passwords that are considered to be too easy to guess. In general, you should avoid passwords that are likely to be found in the system spelling dictionary or that contain personal information such as your name, address, date of birth or vehicle registration number.
One way of making up a new password is to choose the letters from a phrase that is meaningful only to you and perhaps transform it slightly, perhaps by capitalising a letter, adding a number or inserting a hyphen ('-') somewhere in the middle.
For example, from the phrase Shall I compare thee to a Summer's day? you might get the password SIct2aSd (e.g. first letter of each word with 's' capitalised and 'to' replaced with the digit '2') or lIeeoas? (last letter of each word), either of which is secure.
Catch-22a: any password that I tell you is secure, instantly becomes insecure (because I told it to you and someone might have overheard). So choose a phrase that means something to you and then keep it to yourself. Do not use SIct2aSd or lIeeoas.
The program to change passwords has been modified so as to be extremely picky about the passwords it is prepared to accept. It uses an internal dictionary that contains a large number of commonly used passwords. It will reject passwords that are either found in this dictionary or can be generated by the application of some simple rules to a word in the dictionary. It will also disallow many strings that look like car registration numbers, postcodes or palindromic strings.
We are aware that this is annoying. It is there to prevent misuse of the Computing facilities. Without such stringent rules we would have very little protection against other users determined breach the security of our systems.
You may well feel that your password is private to you and you should be the one to decide whether it should be changed. This is entirely true but it is not the entire picture. Consider the following hypothetical points:
There's nothing private on my area: if anyone wants to read it, I don't mind
Someone who finds out your password can do far more than read your files. They can do everything that you can do on any machines to which they might have access (maybe by connecting as you across the network), including all the things you could do, but wouldn't, because of the trouble and embarrassment it would cause you. Not only can they read your files, they can delete or alter them. They can send email and post to newsgroups - messages that will appear to have come from you. They can download pornography onto your area. In short, they can breach (albeit in your name) most of the Conditions of Use of the Computing Facilities, and several civil and criminal laws.
But no one would do that to me, surely?
Well, most people wouldn't: Its doubtful that one person in a thousand would want to cause trouble for someone they didn't know. Unfortunately, some people are simply malicious: and some of them have network access. In all probability, none of these people will ever find out your password. But one might: why take the risk?
It's nothing personal
For the reasons above, the Computing Service would advise you to change your password frequently, to protect yourself. The reason we insist that you change your password is to protect others. Once someone has broken into your account, they can inconvenience others in two ways:
Denial of Service attacks.
Computing resources are not infinite: It is easy to set up processes which take nearly all of a given resource (CPU cycles, network bandwidth, etc.), thus taking it away from all other users. The Computing Service would soon become aware of problems of this nature and would take steps to rectify the situation, but other users could be inconvenienced. If a Denial of Service attack is targeted on some external site, the University's good name may be compromised.
A platform for more serious attacks.
A malicious cracker really wants to gain administrative access to the systems s/he has broken into: once this is achieved, the entire system is available for attack. There are many ways of managing this but most of them first require access to an account (any account). Thus the security of your account is the first hurdle in the path of a cracker: if they can break into your account, it's a good step on the way to gaining further privileges.And the culprit will appear to be you.