<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:999237876;
mso-list-type:hybrid;
mso-list-template-ids:-1148426592 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:2014338727;
mso-list-type:hybrid;
mso-list-template-ids:-761748246 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Good morning,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As part of a broad effort to <a href="http://web.mit.edu/newsoffice/2013/ruiz-letter-on-strengthened-campus-security-0402.html"><span style="color:purple">strengthen campus security</span></a><span style="color:#495DFC">,</span> MIT is
taking steps to provide the community with a more secure network environment. This includes:<o:p></o:p></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:5.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l1 level1 lfo1">
<![if !supportLists]><span style="font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-family:"Calibri","sans-serif"">Implementing stronger Kerberos password requirements<o:p></o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;text-indent:-.25in;mso-list:l1 level1 lfo1">
<![if !supportLists]><span style="font-family:"Calibri","sans-serif""><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Implementing password expiration policies and tying them to the certificate renewal process</span><span style="font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>What does this mean to you?</b><o:p></o:p></p>
<p class="MsoNormal">New Kerberos passwords/passphrases must be significantly stronger than was previously required.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">When it’s time to renew your MIT certificates (which expire on July 31):<o:p></o:p></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;text-indent:-.25in;line-height:12.75pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Download the</span><span class="apple-converted-space"><span style="font-family:"Calibri","sans-serif""> </span></span><u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">updated</span></u><span class="apple-converted-space"><span style="font-family:"Calibri","sans-serif""> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">CertAID
application for Mac or Windows from the</span><span class="apple-converted-space"><span style="font-family:"Calibri","sans-serif""> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="http://ist.mit.edu/software-hardware?type=All&platform=All&users=All&title=certaid&recommended_only=All"><span style="color:purple">IS&T
Software Grid</span></a>.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:10.0pt;margin-left:.5in;text-indent:-.25in;line-height:12.75pt;mso-list:l0 level1 lfo2">
<![if !supportLists]><span style="font-size:11.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span class="apple-converted-space"><span style="font-size:7.0pt;font-family:"Calibri","sans-serif""> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">If your current password is more than a year
old, you’ll be required to change it before a new certificate can be created <i>(NOTE: The
<a href="https://ca.mit.edu/ca/">certificate renewal system</a> will let you know if this is required)</i> <o:p></o:p></span></p>
<p class="MsoNormal">Don’t wait until July 31 to renew your certificate and change your password. Given the new password strength requirements, we recommend that you review <a href="http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords"><span style="color:purple">rules
and suggestions for creating strong passwords </span></a>before renewing your certificate.<o:p></o:p></p>
<p class="MsoNormal"><b> </b><o:p></o:p></p>
<p class="MsoNormal"><b>Why are we doing this?</b><o:p></o:p></p>
<p class="MsoNormal">Poorly chosen passwords significantly increase the risk of unauthorized access to and/or exploitation of MIT's resources. All users, including contractors and vendors with access to MIT’s systems, are responsible for taking appropriate
steps to select and secure their passwords.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We seek to establish some standards for creating strong passwords, protecting those passwords, and ensuring that they are frequently changed (annually). The password expiration policy change is now linked to the certificate renewal process
to combine these annual tasks and simplify the process.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Passwords vs. Passphrases</b><o:p></o:p></p>
<p class="MsoNormal">Another option is to use "passphrases" which are typically longer, but easier to remember than complex passwords and if well-chosen can provide superior protection against hackers. While the system will enforce a 6-character minimum password,
we recommend passphrases, i.e. more than one word strung together, be<span class="apple-converted-space"> </span><u>at least 15 characters</u><span class="apple-converted-space"> </span>in length (spaces count as characters). While passphrases may look simple,
their length translates into so many possible permutations that a typical password-cracking program will not be effective. That said, it is always a good thing to disguise this simplicity with elements of weirdness, nonsense, or randomness.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">For more details on creating strong passwords and passphrases, see the<span class="apple-converted-space"> </span><a href="http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords"><span style="color:purple">Strong Password knowledge
base article</span></a>.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Questions<span class="apple-converted-space"><span style="color:#333333"> </span></span><span style="color:#333333">about changes to the policy should be directed to </span><a href="mailto:cybersecurity-questions@mit.edu"><span style="color:purple">cybersecurity-questions@mit.edu</span></a><span style="color:#333333">.
If you or your colleagues are having trouble with the certificate renewal or password changing process, please contact </span>the IS&T Help Desk at <a href="mailto:helpdesk@mit.edu"><span style="color:purple">helpdesk@mit.edu</span></a><span style="color:#333333"> or
617-253-1101.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best,<o:p></o:p></p>
<p class="MsoNormal">Christine<o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman","serif";color:#1F497D">_______________________________________________________________________________<o:p></o:p></span></p>
<p class="MsoNormal">NOTE: IS&T will *NEVER* request passwords or other personal information via email.
<o:p></o:p></p>
<p class="MsoNormal">Messages requesting such information are fraudulent.<o:p></o:p></p>
<p class="MsoNormal">_______________________________________________________________________________<o:p></o:p></p>
<p class="MsoNormal">Christine C. Fitzgerald<o:p></o:p></p>
<p class="MsoNormal">Manager of Communications<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Information Services and Technology (IS&T)<o:p></o:p></p>
<p class="MsoNormal">Massachusetts Institute of Technology<o:p></o:p></p>
<p class="MsoNormal">77 Massachusetts Avenue, Room W92-218B<o:p></o:p></p>
<p class="MsoNormal">Cambridge, MA 02139-4307<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="mailto:cavanna@mit.edu"><span style="color:blue">cavanna@mit.edu</span></a><o:p></o:p></p>
<p class="MsoNormal">617.253.9814<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>