Why You Need to Change Your Password Frequently

"Why Do I Have to Change My !@$%#* Password?"

Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu

Sometimes new UO users are unhappy to learn that they need to change their uoregon.edu password at least once every six months, especially since the UO insists that all accounts have extremely secure passwords.

We'd like to take a moment to explain why we require strong passwords, and why you need to change your UO account password at least twice a year.

The Need For Strong Passwords

If you're not a system administrator, you may not realize that UO systems, like most Internet-attached systems, are subject to a constant stream of unauthorized access attempts. Hackers are continually probing for vulnerable accounts, accounts which can then be used as a stepping stone for launching attacks on other accounts or systems. Thus, even if your account doesn't have anything particularly private or sensitive on it, access to your account represents an extremely valuable "foot in the door" to the bad guys. Strong passwords play a key role in helping keep those cyber intruders out.

Do passwords need to be so strong? It seems anything I pick is rejected as being a word in a dictionary--even foreign words don't work!

One approach hackers use is a so-called "dictionary attack," trying one word after another with the expectation that users at many sites will pick a word in the dictionary for their password. Some particularly determined hackers may use a merged copy of all word lists they can find (whether English words, slang, technical terms, or foreign language words). Because the bad guys do this, so do we, with the result that any potential new passwords are checked against a pretty comprehensive list of dictionary words (as well as those same words spelled backwards, with a single additional character tacked on the end, and so on).

Why do passwords need to be so long? The five-character password I tried was rejected for being too short!

Another approach that hackers take is a so-called brute force attack. They simply try every combination of letters, numbers, and symbols that can be used as a password. The shorter your password, the fewer the combinations they need to check. That's why the UO insists on a minimum password length, and that's also why we insist you use something besides only lower case letters. We want to make sure the bad guys have to try combinations including upper and lower case letters, numbers and special symbols.

Why do I need to periodically change my password? I finally found one that was both strong and easy to remember, and now I have to change it! I use that password on all my accounts!

We do indeed make you change your password at least twice a year, and we do so for a number of reasons:

If you're required to change your password at least every six months, someone who's hacked your password and has been accessing your account without your knowledge will immediately be shut out once your password is changed. Some may think this is an uncommon scenario, but people commonly sell an old computer and forget to erase passwords they may have saved for dialing in or for accessing their email.
If you change your password at least every six months, hackers who may be trying to crack your password using brute force (as described above) basically need to start over because your password may now have been changed to some pattern they've already tried and rejected.
Forcing a password change also discourages users from using the same password on multiple accounts. (Using the same password on multiple accounts is bad because then your password is only as secure as the least secure of the systems sharing that common password, and if your account does get compromised, the bad guy suddenly has access not just to one account, but to multiple accounts, magnifying the scope of the problem).

I got mail from a funny looking address asking me to change my password...what's up with that?

What you should know about password-related email you may receive:

Because we require a password change at least every six months--and once your password expires you'll be denied access to your email, Blackboard, the UO wireless network, Campus Cash, the VPN or UO's dialin modems--we do send you mail warning you that your password is about to expire.
However, you should know that it is also common for miscreants to try to con UO users into divulging their password by sending mail with a link asking them to login to a bogus site. Don't fall for that ruse!

The only URL you should visit to change your uoregon.edu password is https://password.uoregon.edu/ Do not click on a link you receive in an email! It may look like it's a link to https://password.uoregon.edu/ but it may really go to some other bogus site. Protect yourself by manually entering https://password.uoregon.edu/ in your browser when you want to go to the UO's password changing website.

Questions or Concerns?

UO faculty, students, or staff with any questions about password-related policies should feel free to contact me at joe@uoregon.edu or 346-1720.

Spring 2006 Computing News | Computing Center Home Page