Despite a red alert posted on Northern Kentucky University e-mail accounts to change passwords, less than 15 percent of all faculty, staff and students had changed their passwords as of Oct. 6, according to the Office of Information Technology.
The alert specified that those who had not changed their password within 90 days of Oct. 23 were required to change it to access their NKU account information. Jason Allen, server operations manager for the Office of Information Technology, said this may have caused a delay in service.
“I do not understand why students do not want to change their passwords more frequently,” said Sean Rohlfing, a sophomore theater major. “Passwords are so easy to steal, and on a group server (passwords) are even more accessible. The open network could theoretically allow anyone with the right tools in.”
Security experts at Carnegie Mellon University estimate that more than a million passwords have already been stolen on the internet. NKU’s 2005 auditing process stated the need for password changes and the university’s administration has supported this course of action. The Office of Information Technology is now taking progressive steps in the area of data security to ensure NKU’s system is protected.
According to Allen the password is “the first level of defense.” Changing a password often provides security to users because it gives hackers less time to crack the code, according to a research study conducted at the University of Michigan. The researchers describe the many tools hackers use to discover passwords, such as dictionary programs and sniffers. A hacker will launch a dictionary attack by entering every word in a dictionary into a login program hoping it will eventually match the correct password. A sniffer can read every keystroke sent out from a computer, including passwords.
“I am good about changing my password, but I always use the same three (passwords) over and over again,” said Jill McGraw, an undecided sophomore.Passwords protect identity, but users often reveal themselves by using their own address, telephone number or Social Security number as passwords, according to the UM study. The researchers found those who avoid personal references often choose passwords that are either too short, found in the dictionary or are just common words spelled backward. The UM study revealed all of these words are easily guessed, making the job of password cracking easy.
Making a password easy for the user to remember but hard for someone else to guess is vital according to UM researchers.
While the Office of Information Technology does not place stipulations on the password choices of NKU account users, it has a few technical requirements for all new passwords: it must be at least seven characters in length, it must contain a combination of numbers and letters, which do not necessarily have to be capitalized, can only be changed once every 24 hours. A password history is set at five, so individuals cannot directly reuse an old password until some time has passed. Every password expires in 90 days.