Passwords

 

Good computer security includes the use of strong passwords for all your accounts.  Password policies must be updated because cracking tools continue to improve and the computers used to crack passwords are more powerful.  

Password cracking can take one of three approaches:

  • Intelligent guessing - use of information the attacker might know about the user or organization
  • Dictionary attacks - use of a list of words and passwords that have been found in other password breaches
  • Automation – attempt every possible combination of characters

By far the most common attacks that we see are Dictionary attacks and Automation. To combat these most common types of password cracking, Hancock College is rolling out new password policies to make these types of attacks less effective. This is done by using implementing two new policies:

  1. All passwords are checked against a database of known breached passwords
  2. Password length must be at least 12 characters long with no additional complexity requirements like using numbers and special characters

Breached Password Checking

Starting in April 2022, all new Hancock College passwords created will be first checked against a database of passwords which have known to have been compromised in previous attacks. Since users often will reuse passwords, attackers will use this same database to try to crack Hancock College accounts. When a password has been found in this database, the user will be instructed to choose a different password. Users can check any passwords against this database at https://haveibeenpwned.com/Passwords.

Password Length

For many years the minimum length for passwords has been 8 characters. Current hardware and methods can crack an 8 character, complex (a mix of uppercase, lowercase and numbers) password in a few hours. The new guidance suggests a minimum of 12 characters. The time to crack a similarly complex 12 character password today is measured in hundreds of years. Hancock's new policy does not require any additional complexity like numbers or special characters added, but they are still allowed.

 

Time line for this change

  • April 18, 2022 - All new passwords (both student and employee) will be compared with the breached password database and must be at least 12 characters long.
  • June 1, 2022 - All Allan Hancock College employees will be asked to change their password before the fall term.
  • August 29, 2022 - All employees accounts not adhering to the new requirements will be required to update their password on the next login.

Tips for Creating Strong Passwords

In recent years, the focus on password complexity - using a mix of lower and upper case letters, numbers and special characters - has shifted to focusing on length. What once was considered a strong password "Sr%[d8v" with current cracking ability is considered weak. Also these types of complex passwords are difficult to remember. A long password can be strong and easier to remember - "Giraffe.Banana.Pencil" or "I ate 25 strawberries" are examples of long passwords that can be memorable and given their length, difficult to crack. Mixing in special characters and a mix of letters and numbers is still a good idea but the only requirements are to have one upper and one lowercase letter and not use the words "Hancock", "Bulldog", "Spike" or "password".


Password Managers

Password managers are software applications that help users to create and manage their passwords. They typically have a user create a master password to open the application and then safely store strong, unique passwords for each website that a user visits. The benefit to using a password manager over saving a password in a browser is that the password manager can be used across browsers and devices. There are a number of these tools available some are free and some must be purchased. Hancock College ITS has used and can recommend the following:

 

Details

Article ID: 142347
Created
Tue 3/29/22 10:01 AM
Modified
Mon 4/18/22 10:33 AM