Inside:

To comply with state and University System of Maryland security requirements, new rules went into effect at the beginning of August for passwords in the University Directory (used for many systems such as Testudo, electronic timesheets, and the Mail@umd e-mail system).

Password Expiration
Henceforth, passwords on those systems will be valid for no longer than 180 days. You will receive e-mail reminders in the weeks preceding your password’s expiration date reminding you to select a new password. If you allow your password to expire, you will need to create a new password before you will be able to access your systems again. All passwords created prior to August 16, 2006 will expire in early November.

Password Complexity
A password cannot provide adequate protection if it can be easily guessed by a hacker. Computer programs exist that attempt to use combinations of random characters and entire dictionaries of words (in many languages) to break into computer systems. Some can even take those words and replace letters with numbers or symbols that bear a resemblance (such as turning the letter S into a dollar sign). Password complexity rules require users to create passwords that make the job of the password cracker as hard as possible without making it impossible for the user to remember his or her chosen password.

For OIT systems, the following rules are in effect:

• All passwords must be between eight and 32 characters in length.
• All passwords must contain at least one uppercase character, one lowercase character, and one other character, such as a digit or punctuation mark.
• Passwords must pass a series of tests used to determine if the selection is likely to be guessed by common password cracking programs. These tests include looking for common character substitutions and dictionary words followed or preceded by a digit.
  

Password Reuse
One of the purposes of password expiration is to ensure that if a password is captured by a hacker using spyware, it will not be usable for a long period of time. Lists of accounts and compromised passwords circulate on the Internet for years. You don’t want to resume using a password that may have been previously compromised without your knowledge.

To enforce this idea, you will not be able to select any of your previously used passwords when you select a new password for your account.

Failed Attempt Blocking
Another state-mandated feature is a failed attempt account lockout. If an attacker is able

to attempt to log into your account using every possible combination of characters, eventually he or she will be successful. While a human is not going to try the trillions upon trillions of possibilities, a computer can potentially try many combinations if left unfettered. In order to prevent this type of attack, the University Directory will temporarily lock access to the account in question when there are six consecutive failed login attempts. This lockout lasts for ten minutes, after which login attempts will again be permitted. Failed attempt lockouts will begin in early November.

While some of these new rules may seem inconvenient, the implementation of these password processes creates a more secure campus and gives everyone an important role in protecting the university and its data resources.

Visit www.password.umd.edu for more information.

Changes to Wireless Network Enhance IT Security

By Steve Willett

The University of Maryland wireless network provides Maryland faculty, staff, and students with wireless access to Internet resources without the need to be anchored to a network cable and data outlet. Following a very ambitious year-long expansion and upgrade project, the university’s wireless network is now one of the largest in the country, with more than 2000 access points providing convenient wireless access in more than 100 buildings.

In addition to widespread wireless coverage, another of OIT’s goals is to provide the university community with a safe wireless network. In October, users will be able to take advantage of a new “umd-secure” wireless network, which will encrypt all wireless transmissions using WPA/WPA2 technology. Once it is available, this will be the preferred means of accessing the wireless network. Visit www.oit.umd.edu/wireless for more information.