Frequently update passwords to protect information

The other day, I received an email from CITES stating that my AD and Enterprise password had expired, and I was required to change them. This was not unexpected, as CITES requires all students, faculty and staff at the University to change these passwords every year. While it is annoying and causes a few weeks of confusion until I can get used to entering in my new password every time I log in on Compass or the University wireless Internet, I understand that it is a necessary security precaution, especially in wake of last year’s ECE hacker.

However, what frustrated me was not changing my password but coming up with a new one. CITES has a particularly stringent set of rules for its passwords. Your password must be between eight and 12 characters long, you have to use at least one number and both a lowercase and upper case letter, you may not have numeric or alphabetic sequences, you cannot have English words over five characters; the list goes on. It took me seven tries before it accepted my new password.

I understand why CITES needs to implement this criteria for users to meet when making passwords; it prevents people from using their name, birth date, abc123 or other commonly used passwords, and it forces to them to come up with longer and therefore, theoretically, more difficult to guess passwords.

That was the case until last week, when a password-cracking software called oclHashcat-plus was updated to include the capability of deciphering passwords up to 55 characters in length.

oclHashcat-plus is a free-to-use program that uses your computer’s graphics card or graphics processing unit to make as many as eight billion guesses per second to crack a password. Obviously, with a typical computer, that number goes down to around one hundred- to-two hundred thousand guesses per second, but the Oxford English Dictionary has 600,000 entries. While most passwords are a combination of words and numbers, this still means that a typical computer running Hashcat can probably break your password in a little over a minute.

Of course there is a lot more to cracking passwords than simply running a program. For example, most hackers will need access to the database of passwords for any particular site in order to circumvent the login attempt limit imposed by most sites. However, the release of this software goes to show that no matter how complicated your password is, if someone really wants to break into your account, they will.

But there are several things you can still do to keep your email and school accounts safe.

Install basic virus and adware protection on your computer.

This will help defend it from picking up any viruses or other harmful programs when browsing the Internet. AVG Antivirus is a good program that is offered for free and helps shield you from most common threats.

Avoid visiting suspicious websites.

You can have the best antivirus software in the world, but if you visit enough fishy websites, eventually something will slip through. Common signs of a harmful website include excessive pop-ups, repeated firewall alerts from your computer and demands for your personal information. Trust your instincts and stick to well-known websites.

Be mindful of what computer you are using.

Generally, it’s a good idea not to access any website accounts that have your personal information stored, such as credit card information, birth date and social security number, on any computer besides your own. While it may be OK to occasionally access your email account on the University library computers, be aware that many other people use those computers every day. In 2011, library computers at Manchester University were found to have key loggers installed on them. Avoid using public computers to access your personal accounts.

Brian is a senior in LAS. He can be reached at [email protected]