Campus ID News
Card, mobile credential, payment and security
FEATURED
PARTNERS

Can passphrases strengthen the embattled password?

CampusIDNews Staff   ||   Mar 28, 2013  ||   ,


University says yes, researchers suggest caution

Keeping a university’s computer system secure from outside hackers is only half the battle. Securing the thousands of student computers that log into campus networks on a daily basis is the other half. Protecting the university’s network is an around-the-clock challenge.

The most common way to secure computers and networks is the oft-maligned password. But can passwords be secure? “Yes, if you don’t have any users,” jokes Jacob Farmer, manager of ID Management Systems at Indiana University.

Since 2006 Indiana University has been fighting this battle with a different solution: the passphrase. This is what the school requires its students to use when connecting to the network, a transaction that happens some 100,000 times each day.

The idea of a pass phrase isn’t new. In 2004, Jesper M. Johansson, security program manager at Microsoft Corp., wrote a paper describing the benefits and drawbacks of passphrases. He wrote that passphrases “are coming into vogue for a number of reasons, one being the development of tools that can crack many passwords in minutes.”

He cautiously concluded that pass phrases were indeed more reliable than passwords but they were also saddled with some disadvantages. For example, if the pass phrase is lengthy and you’re not a good typist you could have problems entering the phrase.

“While no one can conclusively answer the question of whether passphrases are stronger than passwords, math and logic appear to show that a five- or six-word passphrase is roughly as strong as a completely random nine-character password,” Johansson wrote. “Since most people are better able to remember a six-word passphrase than a totally random nine-character password, pass phrases seem to be better than passwords.”

That’s one of the reasons Indiana University moved towards pass phrases. “Passwords weren’t strong enough and were cumbersome for users to type,” explains Andrew Korty, Indiana University’s information security officer. “A passphrase is stronger and is more like the sentences people type all the time.”

Johansson agrees. “Certainly a pass phrase of nine words is stronger than a password of nine characters but if you can’t type that many words accurately, it is much worse,” he wrote. “In addition, if the user mouths the pass phrase while typing it, little has been gained.”

Selecting strong passphrases core to IU learning

But one of the strongest arguments in support of passphrases is that they’re easier for users to remember. “If you agree that passphrases are easier to remember, use them,” Johansson says. “You will not be worse off than if you use passwords.”

Before a student logs into Indiana’s system for the first time, the school’s GetConnected Web site helps set up a university account. “The site will configure a student’s computer so it can meet our network and security standards,” says Farmer. “It provides them with a fairly comprehensive package to help them get off on the right foot from a security prospective.”

It also helps the student establish a pass phrase. Each phrase must contain between 15 and 127 characters. It must include at least four unique characters–letters, numbers, or symbols–and contain at least four words. A word must contain two or more distinct letters separated by one or more spaces or other non-letters, not including numbers or the underscore character ( _ ).

For example, “little pink houses-4unme” contains four words and is a valid pass phrase. On the other hand, the phrase “Hoagy_carmichael plays123stardust” only contains two words so would not be valid. Because a pass phrase can be quite lengthy, it becomes more difficult for a hacker to crack, explains Farmer.

Pass phrases cannot contain the student’s name or username, use the @ sign, the number sign (#) or double quotes. It cannot be a common phrase, such as “to be or not to be” or “April showers bring May flowers.”

Finally, the pass phrase should not be based on predictable patterns, such as the alphabet (abc … ) or the keyboard (qwerty). And of course, like passwords, pass phrases are case sensitive, says Farmer.

Students and staff are required to change their pass phrase every two years and it is used to access all IU accounts, including email.

Related Posts

Subscribe to our weekly newsletter

RECENT ARTICLES

USF ID card back
Mar 28, 24 /

Caveat emptor when adding contact numbers to campus cards

The back of University of South Florida’s ID card provides several phone numbers for students in crisis or seeking safety services. Many campus cards contain similar resources, but what happens when this information changes. How do you deal with incorrect contact info for essential services? The USF card prominently lists contact numbers for the victim […]
High school bathroom

Bathroom breaks tracked by campus ID and mobile app

At California’s Fresno High, a new app is authorizing and monitoring trips to the bathroom in an effort to increase students’ time in class and decrease gathering in halls and bathrooms. Of course, this has not gone over well with students. Raising your hand and asking the teacher if you can go to the bathroom […]
Atrium Ozzi container

Atrium clients track check-out and return of reusable containers at OZZI kiosks

The push to reduce or even eliminate single-use containers from campus dining is now easier for Atrium clients. Thanks to a seamless integration between Atrium and the OZZI reusable container program, the processes for both students and dining services is streamlined. Atrium clients have been using OZZI for years, but the two systems were independent. […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.
Twitter

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Join Jeff Koziol and Robert Gaulden from @AllegionUS as we explore how mobile credentials and proptech are changing on- and off-campus housing.

Load More...
Contact
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301
www.AVISIAN.com[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.