[Editors] MIT improves Cybersecurity through Stronger Password Requirements and Expiration Policies

[Christine Fitzgerald]

Good morning,

As part of a broad effort to strengthen campus security<http://web.mit.edu/newsoffice/2013/ruiz-letter-on-strengthened-campus-security-0402.html>, MIT is taking steps to provide the community with a more secure network environment.  This includes:

1.      Implementing stronger Kerberos password requirements

2.      Implementing password expiration policies and tying them to the certificate renewal process

What does this mean to you?
New Kerberos passwords/passphrases must be significantly stronger than was previously required.

When it's time to renew your MIT certificates (which expire on July 31):

*         Download the updated CertAID application for Mac or Windows from the IS&T Software Grid<http://ist.mit.edu/software-hardware?type=All&platform=All&users=All&title=certaid&recommended_only=All>.

*          If your current password is more than a year old, you'll be required to change it before a new certificate can be created (NOTE: The certificate renewal system<https://ca.mit.edu/ca/> will let you know if this is required)
Don't wait until July 31 to renew your certificate and change your password. Given the new password strength requirements, we recommend that you review rules and suggestions for creating strong passwords <http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords> before renewing your certificate.

Why are we doing this?
Poorly chosen passwords significantly increase the risk of unauthorized access to and/or exploitation of MIT's resources. All users, including contractors and vendors with access to MIT's systems, are responsible for taking appropriate steps to select and secure their passwords.

We seek to establish some standards for creating strong passwords, protecting those passwords, and ensuring that they are frequently changed (annually). The password expiration policy change is now linked to the certificate renewal process to combine these annual tasks and simplify the process.

Passwords vs. Passphrases
Another option is to use "passphrases" which are typically longer, but easier to remember than complex passwords and if well-chosen can provide superior protection against hackers. While the system will enforce a 6-character minimum password, we recommend passphrases, i.e. more than one word strung together, be at least 15 characters in length (spaces count as characters).  While passphrases may look simple, their length translates into so many possible permutations that a typical password-cracking program will not be effective. That said, it is always a good thing to disguise this simplicity with elements of weirdness, nonsense, or randomness.

For more details on creating strong passwords and passphrases, see the Strong Password knowledge base article<http://kb.mit.edu/confluence/display/istcontrib/Strong+Passwords>.

Questions about changes to the policy should be directed to cybersecurity-questions at mit.edu<mailto:cybersecurity-questions at mit.edu>. If you or your colleagues are having trouble with the certificate renewal or password changing process, please contact the IS&T Help Desk at helpdesk at mit.edu<mailto:helpdesk at mit.edu> or 617-253-1101.

Best,
Christine
_______________________________________________________________________________
NOTE:  IS&T will *NEVER* request passwords or other personal information via email.
Messages requesting such information are fraudulent.
_______________________________________________________________________________
Christine C. Fitzgerald
Manager of Communications

Information Services and Technology (IS&T)
Massachusetts Institute of Technology
77 Massachusetts Avenue, Room W92-218B
Cambridge, MA 02139-4307

cavanna at mit.edu<mailto:cavanna at mit.edu>
617.253.9814



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/editors/attachments/20130701/9403add1/attachment-0001.htm