Academic Tech Departments Must Mandate Stronger Passwords -

Academic Tech Departments Must Mandate Stronger Passwords

Publish date:

It's been difficult to avoid the recent news stories about stolen and decrypted IDs and passwords. LinkedIn,, and have famously lost control of users' passwords in the past few months. Even Apple has been hit, as several million Apple IDs are still circulating on the Internet. The pity is that many of these passwords were encrypted (technically they were hashed), but given the powerful GPU-based "rigs" the hackers have at their disposal today, the decryption game moves much faster than in the recent past.

Still, what most of these events have in common is that the password system we use for authenticating users represents a throwback to the days when the Internet was a much safer place than it has since become. Users tend to choose passwords that are short and can be found in any dictionary (hence the "dictionary attack" method of guessing to gain access). Simply appending a capital letter or number to either end of the pronounceable word or family member's name does little to harden it as a password. I recently experienced this when a friend's site was hacked with spam comments. Her admin password was 8tinkerbell8, and evidently succumbed easily. Once in, the attacker disabled the anti-spam measures and began dropping links to sites selling cheap designer handbags. I changed the password to a much stronger random string, restarted the site, and re-logged in. The spammy comments stopped coming, although the spammer continued to knock on the door for some time, trying word after word in a vain attempt to regain access. The software was not successful, since the password was a random string of sixteen letters, numbers, and symbols.

Users pick simple passwords because they're easy to remember. Worse yet, they tend to re-use the same password on multiple sites, making it even easier for hackers to compromise the users' accounts. In fact, about a quarter of LinkedIn users whose credentials were stolen also had accounts on that used the same credentials, and those too were hacked. It gets worse; the case of one Mat Honen, fully described in a recent issue of Wired magazine, included a hacked Twitter account, an inaccessible Gmail account, and a laptop whose entire contents were erased. This unfortunate string of events was made possible with some re-used credentials, linked identities between Gmail, Twitter, and Apple, and a little social engineering. Surely these pitfalls exist in academia, where system-wide passwords often require passwords with a minimum of characters and complexity. Before I understood the consequences, I used a re-use trick for years; when required to change my password to something new, I did, then immediately changed it again (yes, back to the original password). While that little maneuver has been blocked, precious little keeps me from entering an eight character word with nothing more than one capital letter and one number. In today's environment, that is hardly adequate.

If one asks why it is not required that users enter unique and complex passwords, the answer usually is that users hate complex passwords that can't easily be remembered or must be written down. They also hate having to change passwords, although research indicates that given a long, complex password the semi-annual password change exercise would be nearly superfluous.

Unfortunately this situation trades security for convenience. Academic IT departments will continue to play the cat-and-mouse game with hackers so long as users demand passwords they can recall easily. This would be the case even with more effective credentials, but it is likely the problem would be much smaller than it is currently.

There are, however, other methods that can be employed to make the creaky password system more secure. Among these is what's called multi-factor authentication, in which a user must present credentials that represent something they know (their password) and something they have (a smart phone which either generates or receives a text message of numbers that must be correctly entered to gain authentication). Organizations like Google and PayPal already offer two-factor authentication, and Facebook is rumored to be introducing it in the near future. There will be the same chorus about inconvenience, but users may well adapt. When the alternative is having their identity revealed, perhaps stolen, and their academic records rifled, one might expect to see a greater effort to strengthen the password system, regardless of the inconvenience.

Steve Cunningham is an assistant professor of practice at USC’s Thorton School of Music.


Is Cloud Storage Compromising Your School's Security?

Most faculty are well aware of the free and low-cost storage and sharing services like Dropbox, Box, Google Drive, Sky Drive, and others, and are inclined to make use of them in their day-to-day work. These services provide a simple way to share with colleagues everything from course materials to exams to research and lab notes. Since they're free and easy to use, why not take advantage of them?

Apple's OS Changes Create Management Migraines

As I've noted previously, I'm partly responsible for managing the computer lab in the school where I serve. Each year—normally during late summer, shortly before the beginning of a new semester—we rehab all existing computers by creating a disk image, reformatting the hard drive, and applying the new image to each machine in turn.

Tech for Teachers

As technology evolves outside the classroom, the devices teachers use inside the classroom stand to change over time, as well — and perhaps dramatically.

Must Have iPad Apps for Tech Managers by AVT Staff

When iPad first hit the headlines, Kleiner Perkins invested $100 million in iPad app building startups. Consumers were hit by lower eBook prices across the board. Hundreds of colleges like Seton Hill and George Fox decided to grant freshmen iPads. If the game is changing, what’s your position? AV Technology has the i

Maintaining Effective Tech Department Communication by Paul Parrie

Good communication is the key to accomplishing anything that involves two or more people. Knowing what the other people involved in the process are going to do, what they are expecting and what they are actually experiencing is crucial information. For time sensitive situations (aka live events) expediency is a necessi

Four Retail Tech Trends From the 2018 NRF Show promo image

Four Retail Tech Trends From the 2018 NRF Show

The 2018 National Retail Federation show at the Javits Center in New York offered attendees fascinating insight into what shopping could look like in the next few years. With tech companies from Intel to Epson showcasing solutions, it also highlighted plenty of new opportunities for AV integrators to help bring about this future.

Image placeholder title

6 Mega Trends Tech Managers Can't Ignore in 2014

I love portentous articles as much as the next reader, but I'm going to leave the predictive dart throwing to the experts. My 2014 trend forecast is actually quite simple: tech managers should expect more emphasis on soft skills, software, and creativity.