University says yes, researchers suggest caution
Keeping a university’s computer system secure from outside hackers is only half the battle. Securing the thousands of student computers that log into campus networks on a daily basis is the other half. Protecting the university’s network is an around-the-clock challenge.
The most common way to secure computers and networks is the oft-maligned password. But can passwords be secure? “Yes, if you don’t have any users,” jokes Jacob Farmer, manager of ID Management Systems at Indiana University.
Since 2006 Indiana University has been fighting this battle with a different solution: the passphrase. This is what the school requires its students to use when connecting to the network, a transaction that happens some 100,000 times each day.
The idea of a pass phrase isn’t new. In 2004, Jesper M. Johansson, security program manager at Microsoft Corp., wrote a paper describing the benefits and drawbacks of passphrases. He wrote that passphrases “are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes.”
He cautiously concluded that pass phrases were indeed more reliable than passwords but they were also saddled with some disadvantages. For example, if the pass phrase is lengthy and you’re not a good typist you could have problems entering the phrase.
“While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show that a five- or six-word passphrase is roughly as strong as a completely random nine-character password,” Johansson wrote. “Since most people are better able to remember a six-word passphrase than a totally random nine-character password, pass phrases seem to be better than passwords.”
That’s one of the reasons Indiana University moved towards pass phrases. “Passwords weren’t strong enough and were cumbersome for users to type,” explains Andrew Korty, Indiana University’s information security officer. “A passphrase is stronger and is more like the sentences people type all the time.”
Johansson agrees. “Certainly a pass phrase of nine words is stronger than a password of nine characters but if you can’t type that many words accurately, it is much worse,” he wrote. “In addition, if the user mouths the pass phrase while typing it, little has been gained.”
Selecting strong passphrases core to IU learning
But one of the strongest arguments in support of passphrases is that they’re easier for users to remember. “If you agree that passphrases are easier to remember, use them,” Johansson says. “You will not be worse off than if you use passwords.”
Before a student logs into Indiana’s system for the first time, the school’s GetConnected Web site helps set up a university account. “The site will configure a student’s computer so it can meet our network and security standards,” says Farmer. “It provides them with a fairly comprehensive package to help them get off on the right foot from a security prospective.”
It also helps the student establish a pass phrase. Each phrase must contain between 15 and 127 characters. It must include at least four unique characters–letters, numbers, or symbols–and contain at least four words. A word must contain two or more distinct letters separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ ).
For example, “little pink houses-4unme” contains four words and is a valid pass phrase. On the other hand, the phrase “Hoagy_carmichael plays123stardust” only contains two words so would not be valid. Because a pass phrase can be quite lengthy, it becomes more difficult for a hacker to crack, explains Farmer.
Pass phrases cannot contain the student’s name or username, use the @ sign, the number sign (#) or double quotes. It cannot be a common phrase, such as “to be or not to be” or “April showers bring May flowers.”
Finally, the pass phrase should not be based on predictable patterns, such as the alphabet (abc … ) or the keyboard (qwerty). And of course, like passwords, pass phrases are case sensitive, says Farmer.
Students and staff are required to change their pass phrase every two years and it is used to access all IU accounts, including email.