It only took about five minutes to crack 70 percent of University of Richmond students’ passwords in a test last year, which did not associate the passwords with students’ NetIDs, security administrator Anthony Head said.
Many students are just now realizing that they need to update their passwords to conform to new security restrictions for their NetID accounts to access their gmail and other campus network services.
The process of changing password lengths began last year, Head said, with the faculty and staff resetting their passwords near the end of the year. Students have either already had their passwords reset, or will have them reset by the end of February, according to the Information Services website.
New passwords must contain at least 16 characters, whereas the old passwords were somewhere between six and 10 characters, Head said.
Students might wonder why the NetID is receiving attention for password security when BannerWeb seems to contain more sensitive material, but Head said that Information Services is currently working on BannerWeb and expects to unroll new password policies for it sometime in the next six to nine months.
Head said Information Services was considering integrating BannerWeb into NetID so that the password and username would be the same across the board for students. However, because they are currently run on different systems, it might not be feasible, he said.
Before making the decision to change the length of passwords, Information Services staff talked with the computer science department to run their ideas past the faculty.
Douglas Szajda, a professor in the computer science department, said: “It was about time that we moved to 16. It doesn’t take that long to crack an eight-character password.”
Both Head and Szajda said that when deciding on password requirements, it was necessary to choose between making password requirements longer or more complex. Head said that after research, Information Services staff decided that increasing length was a better way of keeping passwords safe, rather than making password requirements more complex.
If students want to see how long it would take for a normal password cracking program to crack their passwords, Head said they could visit the website grc.com/haystack.htm.
Head used this website to show that, as a password increases in length, the time it would take to crack increases as well.
Szajda said students should be wary about allowing their web browsers to remember their passwords because it is another way for the password to be found.
As an alternative to web browsers remembering passwords, the university paid for a service called Last Pass, Head said. Students and faculty can go to lastpass.com/richmond and the service will keep track of passwords for students for free.
Contact reporter Brennen Lutz at firstname.lastname@example.org