H -°, L 6° | Tomorrow: 
H 18°, L 6°Earlier this week, everyone who was still using a noncompliant NetID password was informed that they must create a better password, or else. The "or else," is that they will lose access to all the university IT systems that require NetID and password for access.
Some may not notice right away (maybe never) that their old, noncompliant NetID password has been deactivated. We only know for certain that there are about 19,000 passwords that are not compliant with the requirements of the university's password policy. Many of those belong to students.
The UW-Madison password standard is fairly straightforward. It requires a minimum of eight characters. (Many more if you desire — up to 35!) The password must contain characters from at least three of the following categories: uppercase letters (A-Z); lowercase letters (a-z); digits (0-9); and special characters (@#$%). Passwords must not contain a common proper name, login ID, email address, initials, first, middle or last name. That's about it.
My guess is that the enforcing NetID password policy will provoke some pushback from those who don't want to change their passwords and don't believe that they should be forced to comply with this fill-in-the-blank policy. Recent candidates for the blank that I have heard include: senseless, stupid, useless, oppressive and discriminatory. The last word in this list worries me more than all the others combined.
Is the policy discriminatory toward people who might have difficulty remembering or entering a longer and more complex password? I am nearly certain that it is not.
Complying with the password requires neither manual dexterity nor an exceptional memory. In fact, a minimally compliant password is easy to create and, at the same time, much harder to crack. Even a simple strategy like lengthening a password with a few random characters adds exponentially to its strength.
Neither does a compliant password require complex keystrokes. For example, repeating characters or using simple keyboard patterns are all perfectly acceptable strategies for creating good passwords.
People who can't remember a longer password can simply write it down and store it in a secure place. I do this myself because I don't want to use one password for everything I do online. And, I want to change my passwords more regularly. Writing down passwords isn't especially risky if they are stored in something you have with you most of the time — like a wallet.
Data breaches and compromised computer systems have become a nearly daily occurrence at American universities. Loss of restricted personal data can be devastating to the victims and expensive for the institution. There's no way around it. Improving the university's IT security has become important, urgent and everyone's responsibility.
Better passwords improve the security of UW-Madison's IT systems at low cost. By contrast, fixing security problems after they occur can be both complicated and expensive. The security benefit of stronger passwords is well worth the trouble and inconvenience of requiring compliance with university policy.
So ready or not, the moment to require better passwords has arrived. If you lose access to the systems that require the NetID password, you will have to go through the "Activate My NetID" procedure on the My UW website. If you have trouble, the DoIT Helpdesk has friendly and supportive staff on call to guide you through the process.
Tips for Tougher Passwords
Collide common words that are meaningful for you, but hard to guess. For example: OPAL#blue
Spell and capitalize creatively. For example: UForEahBlooz
Mild dyslexia works well in a password: e.g., replacing E with 3, d with b, or q for p. For example: R3dBirbF33d3R
Make your old password longer using random characters: For example: yoyoman becomes @@yo-yoMAN&&
Use symbols and numbers for simple encryption: E1VI$LiVZ
Do some or all of the above. Some examples: D@Rk$kY; $pIny@nTeAT3; 1Tr1ckP0nee$; B33F1@tMaj0r
IP hash: 88dc7ce5
wow. was this a slow day for opinions or what? I guess when you’ve done 50 columns on democrats and iraq, you have to find SOMETHING else.
IP hash: f2e919b4
this is so fucking stupid. if people want a simple password and are willing to take the “risk” (as apparently half of the student population is) whose business is that?
does doit just not have enough to do over there or what?
IP hash: 13788092
I’m sure that those stupid enough to take the “risk” of using a poor password would be the first to complain if their stuff was trashed or their ID was used to send child porn. They’d undoubtably blame DOIT for not protecting them from themselves.
IP hash: 65972aaf
Whining about having to change your computer password. Wow.
College students today have such an immense sense of entitlement, it boggles my mind. And they call you narcissistic. So unfair.
IP hash: 3a9b7cfc
it people were truly worried about email safety they wouldn’t be trusting doit with their info anyway. not that it even needs reminding, but in addition to their poor customer service and faulty services (ie. wiscmail, wisclists, etc) how about the THREE botched asm elections doit was charged with running last year. take this quote from this same paper: “DoIT has failed on the most extraordinary of levels. The technology organization created to serve students has now admitted that it cannot even serve the student body's government with a basic electoral source code.” http://badgerherald.com/oped/2006/04/06/justcantdoit.php
and when they do have the chance to make some improvements to the uw system they don’t have the balls to endorse it: Responding to a publicized test where a computer hacker gained access to a Macintosh operating system in under 30 minutes, DoIT Technical Service Specialist Dave Schroeder challenged hackers to infiltrate a computer he secured using Mac OS X and had put on the UW network. However, neither DoIT nor UW sanctioned the test and university officials shut it down prematurely. http://badgerherald.com/news/2006/03/09/hackinginvitetroub.php
people complaining that doit doesn’t protect them would be clearly justified.
IP hash: c9b58eb9
I’m not really sure where you’re getting your information from about these “faulty services”. I think WiscMail has exceptional reliability, perhaps only bested by the giant email services like GMail: http://www.doit.wisc.edu/news/story.asp?filename=611
Not sure what your deal is with WiscLists. Maybe the problem lies somewhere between the chair and the keyboard? Why don’t you back up your complaints with actual facts?
You would be very disappointed if you attended another university. Most have IT departments are much smaller than DoIT and have far fewer and less robust services available to students. Forget your email password at U of Illinois? Don’t even try to reset it online or call in. You’ve got to go to the Help Desk in person. Want to get wireless wherever you go? You’ll be out of luck on most campuses. “Entitlement” does seem to be the operative word here.
Regarding the ridiculous password complaints, it’s not DoIT’s responsibility to protect you from yourself. If your password is “bucky” and someone logs in to your account, drops all of your classes and sends out porn through your email address, it’s your problem. But it becomes the university’s problem, and everyone else’s, when people use hacked accounts to send spam through an email system we all share and getting DoIT’s servers blocklisted everywhere, and to send out viruses on our wireless and dorm networks. Now do you understand why requirements exist?
Someone who is really mad that they have to choose a new password is simply lazy and probably stupid.
IP hash: 8127d883
To be perfectly honest, I’m surprised at the vitriolic reactions to this sensible policy and unprovoked attacks on DoIT.
Would one complain to their bank about a similar policy for accessing online accounts? I’d be more concerned if the password policy was too loose.
Access to campus IT services is a privilege, which includes realistic expectations of the user community. Sound “rules of the road” are for the benefit of all. It is a shared resource and by virtue of this, my ill-advised actions can affect others (and vice versa). A base-line policy helps alleviate differences between user’s tolerance for risk, especially if actions result in costly expense to the university. Not only could this mean actual cost for legal actions, but reputation is also at risk.
By and large, the IT services offered at the UW-Madison campus are robust, reliable, and readily available. While this is may not be unique in the realm of higher ed, it shouldn’t be taken for granted. Security is a necessity and here to stay. Policies are not imposed haphazardly or intended to inconvenience users.
P.S. I hope that the caveat, “We welcome your thoughts, but please keep your feedback thoughtful, on-topic and respectful. Offensive language, personal attacks, or irrelevant comments may be deleted.” is honored. The use of expletives shows ignorance and devalues one’s opinion, despite which side of the argument you land.
IP hash: 16485a83
GMail is much more reliable, except when they are losing your mail:
http://www.oreillynet.com/xml/blog/2006/12/gmaildisastergoogle_confirme.html
http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/e19d6ab5d41e58eb/bd2a9386c2a1ad41