To comply with state and University System of Maryland security requirements, new rules went into effect at the beginning of August for passwords in the University Directory (used for many systems such as ARES, electronic timesheets, the Mail@umd e-mail system, and the online calendaring system). The same rules will govern passwords on the university mainframe system.

Password Expiration

Henceforth, passwords on those systems will be valid for no longer than 90 days for the CIO and OIT staff and 180 days for all others. You will receive e-mail reminders in the weeks preceding your password’s expiration date reminding you to select a new password. If you allow your password to expire, you will need to create a new password before you will be able to access your systems again. All passwords created prior to August 16, 2006 will expire in early November.

Password Complexity

A password cannot provide adequate protection if it can be easily guessed by a hacker. Computer programs exist that attempt to use combinations of random characters and entire dictionaries of words (in many languages) to break into computer systems. Some can even take those words and replace letters with numbers or symbols that bear a resemblance (such as turning the letter S into a dollar sign).

Password complexity rules require users to create passwords that make the job of the password cracker as hard as possible without making it impossible for the user to remember his or her chosen password.

For OIT systems, the following rules are in effect:

• All passwords must be between eight and 32 characters in length.
• All passwords must contain at least one uppercase character, one lowercase character, and one other character, such as a digit or punctuation mark.
• Passwords must pass a series of tests used to determine if the selection is likely to be guessed by common password cracking programs. These tests include looking for common character substitutions and dictionary words followed or preceded by a digit.

Password Reuse

One of the purposes of password expiration is to ensure that if a password has is captured by a hacker using spyware, it will not be usable for a long period of time. Lists of accounts and compromised passwords circulate on the Internet for years. You don’t want to resume using a password that may have been previously compromised without your knowledge.

To enforce this idea, you will not be able to select any of your previously used passwords when you select a new password for your account.

Failed Attempt Blocking

Another state-mandated feature is a failed attempt account lockout. If an attacker is able to attempt to log into your account using every possible combination of characters, eventually he or she will be successful. While a human is not going to try the trillions upon trillions of possibilities, a computer can potentially try many combinations if left unfettered. In order to prevent this type of attack, the University Directory will temporarily lock access to the account in question when there are six consecutive failed login attempts. This lockout lasts for ten minutes, after which login attempts will again be permitted. Failed attempt lockouts will begin in early November.

While some of these new rules may seem inconvenient, the implementation of these password processes creates a more secure campus and gives everyone an important role in protecting the university and its data resources.

Please visit www.password.umd.edu for more information.