Difference between revisions of "Password FAQ"

From CIT Wiki
Jump to: navigation, search
Line 6: Line 6:
  
 
==Why are the password requirements so strict?  I want to use my pet's name every time.==
 
==Why are the password requirements so strict?  I want to use my pet's name every time.==
Some of the requirements listed (like not being able to use a password you've used in the last 18 months) are actually functions of the mailserver itself; others (like having to use something other than letters in your password) are CIT policy, but not necessarily forbidden by the mailserver. That, however, does not change the simple fact that a slightly more complex password benefits you greatly.
 
 
 
If your email password is a word in the dictionary, a hacker has to try only around 300,000 words to find yours. That number is based on the number of words in the complete version of the Oxford English Dictionary, and would take a password-hacking program approximately one minute to figure out.
 
If your email password is a word in the dictionary, a hacker has to try only around 300,000 words to find yours. That number is based on the number of words in the complete version of the Oxford English Dictionary, and would take a password-hacking program approximately one minute to figure out.
 
If your password has 6 random lowercase letters, a hacker has to try over 300 million combinations. That gives you a better shot at not having your password guessed, at 1,000 minutes (or just under 17 hours), but it's still fairly doable.
 
If your password has 6 random lowercase letters, a hacker has to try over 300 million combinations. That gives you a better shot at not having your password guessed, at 1,000 minutes (or just under 17 hours), but it's still fairly doable.
Line 13: Line 11:
 
However, if your password is eight random characters (including upper and lowercase letters, numbers, and punctuation), a hacking program has approximately 6 quadrillion (that's 6,000,000,000,000,000) possibilities to generate. Even at a speed of 5,000 possibilities per second, it would take over 36,500 years for a program to generate that many combinations.
 
However, if your password is eight random characters (including upper and lowercase letters, numbers, and punctuation), a hacking program has approximately 6 quadrillion (that's 6,000,000,000,000,000) possibilities to generate. Even at a speed of 5,000 possibilities per second, it would take over 36,500 years for a program to generate that many combinations.
  
The point is not that passwords like 0berLin! are invincible. The point is that, in combination with the other protective security measures we take (locking your account for a period of time after a specified number of unsuccessful tries, requiring password changes every 90 days, and sending passwords over a secure connection), you give yourself an exponentially better chance at preserving your privacy and the privacy of others by making simple changes to the way you create your password.
+
The point is not that passwords like 0berLin! are invincible. The point is that, in combination with the other protective security measures we take (locking your account for a period of time after a specified number of unsuccessful tries, requiring password changes every 122 days, and sending passwords over a secure connection), you give yourself an exponentially better chance at preserving your privacy and the privacy of others by making simple changes to the way you create your password.
  
 
==Can I continue to use the same old password I’ve been using for years?==
 
==Can I continue to use the same old password I’ve been using for years?==

Revision as of 09:36, 26 October 2015

How do I change my password if I've forgotten it and haven't set up my password recovery questions or set my cell phone number for text message recovery?

We can change your password for you if you visit either of the Help Desk, located in the Academic Commons, with a photo ID during regular business hours. You will need to fill out a short form, and your password will be changed within one business day.

Can I change my password if I can't get to the Help Desk?

We can change your password for you, provided you send an email to cit@oberlin.edu with a copy of your photo ID, your ObieID username, and contact information (in case we run into problems).

Why are the password requirements so strict? I want to use my pet's name every time.

If your email password is a word in the dictionary, a hacker has to try only around 300,000 words to find yours. That number is based on the number of words in the complete version of the Oxford English Dictionary, and would take a password-hacking program approximately one minute to figure out. If your password has 6 random lowercase letters, a hacker has to try over 300 million combinations. That gives you a better shot at not having your password guessed, at 1,000 minutes (or just under 17 hours), but it's still fairly doable.

However, if your password is eight random characters (including upper and lowercase letters, numbers, and punctuation), a hacking program has approximately 6 quadrillion (that's 6,000,000,000,000,000) possibilities to generate. Even at a speed of 5,000 possibilities per second, it would take over 36,500 years for a program to generate that many combinations.

The point is not that passwords like 0berLin! are invincible. The point is that, in combination with the other protective security measures we take (locking your account for a period of time after a specified number of unsuccessful tries, requiring password changes every 122 days, and sending passwords over a secure connection), you give yourself an exponentially better chance at preserving your privacy and the privacy of others by making simple changes to the way you create your password.

Can I continue to use the same old password I’ve been using for years?

No. Security concerns have become too great. In order to adhere to security best practices, we must enforce stronger passwords, changed on a regular basis.

The system made me enter a password that is hard to remember, what happens if I forget it?

The first time you use the OCPass web site (http://ocpass.oberlin.edu), you need to establish your password recovery questions. This consists of three, easy-to-remember, personalized questions that can be used to reset your ObieID password. Alternatively, you can enter a cell phone number to which we can send a text message recovery code if you forget your password or it expires. If you have not enrolled ahead of time, you will need to contact the CIT Help Desk to have your password reset.

The new password rules are too difficult. How do you expect me to remember such a jumble of letters and numbers?

Sometimes it’s helpful to think of a phrase (including numbers and punctuation) as a basis for your password. Examples: “I drive a ‘56 Chevy.” becomes Ida’56C. “Wow! I ate 8 hotdogs!” becomes W!Ia8h! (Don’t use these examples, please).

I changed my ObieID password, but I still can’t log in.

The system you are trying to access may be using credentials other than the ObieID. If you’re certain that you’re attempting to authenticate to an ObieID system, remember that passwords are case-sensitive. If you need further assistance, contact the CIT Help Desk.

I keep trying passwords, and the OCPass website won’t take any of them.

  • be at least 8 characters long
  • not be a dictionary word
  • not be any of the previous three passwords you've used for your ObieID
  • contain at least 1 numeric character

I set my Password Recovery Questions, but have now decided that I don’t like some of the questions or answers that I chose.

As long as you know your current password, you can go back to OCPass at any time to change your questions and/or answers.