[IS&T Security-FYI] Newsletter, July 6, 2007

Monique Yeaton myeaton at MIT.EDU
Fri Jul 6 10:32:31 EDT 2007 

Kerberos Passwords

As you are probably aware, every year around this time you are  
reminded to renew your MIT personal certificate before it expires on  
July 31st.

As a new feature, IS&T has recently expanded the MIT personal  
certificate functionality to include a friendly reminder to keep your  
Kerberos password current. What this means is that the certificate  
server will validate the last time you changed your Kerberos  
password, and if that was more than a year ago, it will display  
information on the last time you changed your password with the  
recommendation to change your password at least once a year.

In concert with the new functionality, the Kerberos password policy  
was changed to require two (2) character classes (letters including  
lower and upper case, numbers, punctuation and/or symbols). The  
policy also notes that:

-- The password must be equal to or greater than 6 characters (we  
recommend that your password be longer than 6 characters)

-- It must have at least 2 character classes (we recommend that if  
you can still remember the password, to use more than two character  
classes)

-- It must not be one of the three previous passwords you have used  
(we recommend you never reuse a password)

-- It must not be a commonly used dictionary word (a pass-phrase is  
better than a password)

For more guidelines on choosing a password see:
<http://web.mit.edu/ist/topics/network/passwords.html>

We don't always remember to change our passwords. How frequently  
should this be done? The answer depends on what the passwords are  
used for. If they are passwords to important and/or sensitive  
information, changing these at least once a year is a good idea. If  
they are passwords to email accounts or chat programs, for instance,  
less frequently is fine.

By sending you a password reminder annually when certificates are  
ready to expire, we hope to ensure that your Kerberos password stays  
strong. IS&T believes this new functionality will improve our overall  
security posture and also help in complying with auditors suggestions  
to change passwords on a regular basis.

Changing Kerberos passwords more than once a year is fine too. Change  
your password at any time via this website: <http://wserv.mit.edu/cpw>

Monique


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

More information about the ist-security-fyi mailing list