Passwords for PennKeys get a new, longer, twist


ISC to require 'passphrases' of 15 to 64 characters to log on




According to Information Systems and Computing, longer is better.

ISC is planning for all PennKey passwords to eventually be changed to "passphrases," ISC Associate Vice President Robin Beck said.

Instead of a short string of letters and numbers about 10 letters long, the new passphrase system will require a string of 15 to 64 characters, usually from a phrase or string of actual words.

The guidelines for constructing a passphrase - such as the exact length and content of the phrase - are still in preliminary stages. But Information Technology Technical director James Choate said "the more obscure and personal, the better."

The transition is tentatively scheduled to begin in the spring, and will continue for a period of months to allow PennKey holders to switch to the new system. PennKey usernames will still be used.

"PennKey served us really well for many years and we're just revisiting it now to make sure it keeps doing well," Choate said.

He said this particular initiative did not stem from one specific event, but there has been a growing trend of "password-guessing attacks."

In these attacks, hackers use programs to test every possible combination of characters for a particular PennKey password. The short length of the current passwords allows for such attacks to occur quickly.

"As you increase the length of the password, it makes it easier to protect," Choate said. "Also, the fact that a phrase is easier to remember means that it's less likely to be written down or shared."

Choate said the passphrase system is not uncommon. Many schools -- such as University of California Berkeley and Indiana University - already use it.

Some students are skeptical about the passphrase system.

"I think it might be inconvenient, because it could take forever to log onto anything," Wharton and Engineering sophomore Leah Haimson said. "But maybe it would make it worth it if it were really more secure."

Haimson speculated that it might not be long before hackers figure out a new way of cracking longer passwords.

Wharton and Engineering junior Edward Nie said he was never worried about someone stealing his password, since "the most they could do would be to change my schedule."

He added that length of a passphrase might pose a new problem.

"The worst part is that with a password that long, you're bound to make a typo somewhere," he said.

The move is part of a more comprehensive update of Penn's Internet security measures, but the passphrase change is the only major change for students, ISC's Information Technology Director Edda Katz said.

ISC is also planning on updating the programs used for authentication in order to handle these new security measures.

Discussion

Comments powered by Disqus

Please note All comments are eligible for publication in The Daily Pennsylvanian.