In July 2012, UITS Identity Management Systems team estimated that there were about 160,000 computing accounts at IU with “stale credentials.” Stale credentials mean a passphrase or password that is at least two years old. When I tried to visualize 160,000 stale credentials, all I could picture was a big pile of moldy bread. Obviously, I needed some help understanding that figure. So, I exercised my Google-fu and found some interesting facts:
• $160,000 recently bought a piece of controversial DC Comics memorabilia
• The oldest human fossils found we know of are about 160,000 years old
• An annual salary of $160,000 works out to about $80/hour
I’m a Bloomington townie, so the statistic that really brought it home for me was the 2010 census population in Bloomington of about 80,000 people. So, the number of IU accounts with stale credentials was about twice the population of Bloomington. That’s a huge pile! And some of that bread is *really* moldy…
At IU, passphrases were introduced in October of 2006 (see Passwords and passphrases for details). After six years and several awareness campaigns (requesting users to voluntarily update), there were still approximately 81,761 IU accounts that had not been changed. Faced with the growing pile of evidence, UITS recognized that folks at IU apparently needed stronger incentive to clean up that pile and announced that passphrases older than 2 years would start to expire during the fall, 2012 semester. In order to prevent a massive lockout event, passphrases will initially expire in batches of a few hundred each week, starting with the oldest credentials first. So, what does this mean for you?
As your expiration date draws near, the Central Authentication Service (aka: “CAS”) will display a warning asking if you would like to change your passphrase before it expires. If you set a new passphrase before your expiration date, your access will continue without interruption.
If you do not set a new passphrase then, on your expiration date, CAS will begin showing you an error screen indicating that you must change your passphrase before you can continue:
Once you start seeing that error, you will not be able to access university resources such as OneStart, Oncourse, and countless others until you set a new passphrase. However, you will retain the ability to log in to ADS-joined workstations and the site https://passphrase.iu.edu/ so that you can set a new passphrase.
UITS began communicating this plan to the support community in August, 2012. The IT Professionals across the state quickly responded and, by the first week of September, through departmental events and individual meetings, had whittled the 160,000 down by more than 25%. In other words, in the span of a few weeks, the IT Pros guided the equivalent of about ½ the population of Bloomington through the process of updating their passphrases. Kudos is due to all the departmental support providers who made so much progress in such a short amount of time! Thanks to their effort many folks will sail through the semester without any further concern about stale or expired credentials.
However, there are a few holdouts who are saying: Why does this matter? Is the time & effort really worth the benefit? I *like* my old 8-character password, why can’t I keep it? These are fair and prudent questions. So, I set out to find some answers – here are some of them:
I started with Scott Wilson, from the IU University Information Security Office. Scott published a blog post about the project a while back. His post links out to an excellent video about the benefits of passphrases over passwords. Additionally, Scott explains that, with normal use, passphrases simply lose their effectiveness over time.
Additionally, expiring passphrases limits the window of opportunity for someone to take advantage of unauthorized access. Not every hacker wants to immediately do something noticeable to your account(s). Perhaps they would rather quietly send spam through your account and use your network credentials to hide their own identity while they try out the latest hacking tool set or visit a few disreputable or malicious websites or forums.
Sometimes, unauthorized access is not due to a hacker breaking in to an account; more common scenarios reported to IU’s University Information Security Office involve former roommates/classmates/romantic partners. We have probably all shared a computer at some time, and almost all browsers and operating systems “helpfully” store login information. Of course those near & dear to us wouldn’t abuse that stored access. But, a year or so down the road (when you no longer see much of each other, or perhaps you’ve had a falling out) some disenchanted “former friendly” might just give in to curiosity and take a peek at your current inbox, or (if the falling out still stings a little) they might make sure to use your credentials for IU Secure when they launch their next illegal torrent session.
One of the more compelling reasons I heard is that the Feds say we need to. There are a lot of folks at IU who have access to institutional data and, in some cases, to sensitive data. Many of those same folks are also using passphrases that are several years old. According to the Safeguards Rule of the Gramm Leach Bliley Act, institutions are responsible for protecting their customers’ data. “Controlling access to sensitive information by requiring employees to use ‘strong’ passwords that must be changed on a regular basis” is a FTC recommendation for meeting the institutional legal obligation under the Safeguards Rule. In other words, under federal law, stale credentials are a legal liability for IU, as well as a personal legal liability for the associated account holders … this could mean you. There are additional federal and state laws that require specific IT security measures. The IU University Information Security Office has collected links to some of them at http://protect.iu.edu/cybersecurity/data/laws if you are curious.
Finally, to skate on the edge of paranoia just a bit… Ever notice how iOS displays each character of your passphrase for a few seconds as you type it? Ever have a “tinfoil moment” in which you *almost* convinced yourself that the guy in line behind you (or perhaps some ubiquitous security camera) just watched you type that password on your iPhone? You probably (very reasonably) wrote that moment off to overdeveloped paranoia… didn’t you?
I’m not suggesting we all ought to be losing sleep over what security cameras might see on an iPhone and you won’t see me protecting my innermost thoughts with tinfoil either. But, as an IU alum and a current IU employee, I can appreciate that IU is forcing folks to be responsible about potential access to my data. And, in my mind, a few minutes of my time every couple of years is a small price to pay towards making sure I’m treating everyone’s IU data as carefully as I would want them to treat my own.