Why do I need to change my password? IT and Library Services

The password expiration policy will require you to change your password every 120 days. Whilst password expiration may initially cause a degree of inconvenience it is crucial that the University is able to assure the security of its information environment. This rule is being implemented to prevent misuse of the Computing facilities.

Why do I need to change my password?

You may well feel that your password is secure and does not need to be changed unless you choose to do so, but there are wider concerns. Here are some of the questions that the IT Service Desk has received:

Why should I worry about the security of my account?

If someone gains access to your account, they can do far more than look at your personal files. For staff, this means access to e-mail and shared areas, for students, it means access to your student record, exam marks, coursework submission etc., as well as Portal and Moodle accounts. They could do everything that you can do on any computer to which they might have access (maybe by connecting as you across the network). Not only can they read your files, they can delete or alter them. They could send e-mail and post to newsgroups - messages that will appear to have come from you. They could download pornography onto your home area. They could breach most of the Rules and Regulations for the use of ICT, and several civil and criminal laws, and do so in your name.

Why would anyone want to break in to my account?

Most people don't want to cause trouble for people they don't know. Unfortunately, others are simply malicious. It's very probable that none of these people would ever find out your password. But why take the risk?

For the reasons above, we insist that you change your password. This is to protect yourself and others. Once someone has broken into your account, they can inconvenience others in two ways:

  1. Denial of Service attacks.
    Computing resources are not infinite: It is easy to set up processes which take nearly all of a given resource (CPU cycles, network bandwidth, etc.), thus taking it away from all other users. ILS would soon become aware of problems of this nature and would take steps to rectify the situation, but other users could be inconvenienced. If a Denial of Service attack is targeted on some external site, the University's good name may be compromised.  
  2. A platform for more serious attacks.
    The goal of a hacker is to gain administrative access to the systems s/he has broken into: once this is achieved, it opens the entire system for attack. There are many ways of managing this but most of them first require access to an account (any account). Thus the security of your account is the first hurdle in the path of a hacker: if they can break into your account, it's a good step on the way to gaining further privileges.

And the culprit will appear to be you.

Why every 120 days? This makes my password less secure as I will need to write it down.

The 120 day change rule is broadly in line with most other Universities. If you follow the guidelines given on the managing University passwords page, you should be able to create a memorable password without needing to write it down.

My bank doesn't require me to change my password every 120 days - why do you?

Your bank usually requires more than a single password to access your account. For this reason, it should not be necessary to change your banking passwords often.

My ISP doesn't require me to change my password - why do you?

Your account with your ISP allows you to connect to the Internet and maybe access an e-mail account with them. Universities are different in that they are relatively open organisations with a lot of high value resources (e-mail accounts to send spam, high bandwidth, open networks, computers allowing interactive login etc.). Your account also grants access to personal resources such as your student record, exam marks, submit coursework etc. which should remain private to you.

Why are the new password rules so complicated?

If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters, you force a hacker to continue trying every possible combination to find yours. If we assume that your password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better. Refer to the managing University passwords page for more information.

Character Sets used in Password Calculation Possible Combinations
Dictionary words (in English): ~600,000 words. 600,000
Numbers Only 10^8 100,000,000
Lowercase Alpha Set only 26^8 208,827,064,576
Full Alpha Set 52^8 53,459,728,531,456
Full Alpha + Number Set 62^8 218,340,105,584,896
Full Set of allowed printable characters set (10+26+26+19)^8 645,753,531,245,761

The longer your password the more secure it is. If we take the full set of allowed printable characters set (the last line above) and increase the password length, the possible combinations jump exponentially.

  • 8 Characters > 645,753,531,245,761 (645 Trillion) Combinations
  • 9 Characters > 45,848,500,718,449,031 (45 Quadrillion) Combinations
  • 10 Characters > 3,255,243,551,009,881,201 (3 Quintillion) Combinations

When we refer to character sets, they are typically numbers, upper and lowercase letters and a given set of symbols. For example:

Characters Number of Characters
0123456789 10
abcdefghijklmnopqrstuvwxyz 26
`~!@#$%^&-_=+[{]}. 18