Benchmarks Online

Skip Navigation Links

Page One

Campus Computing News

Summer Break Hours


Unblocking Pop-ups on Windows XP, Service Pack 2

SAS 9.1.2 has Landed.....with a THUD!

Checkin 4.0 adds new monthly statistics chart to its reporting features

Today's Cartoon

RSS Matters

The Network Connection

Link of the Month


Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online

Campus Computing News

Protecting Your Digital Identity: Changes to Password Procedures at UNT

By Dr. Maurice Leatherbury, Executive Director of Information Technology and Academic Computing

Identity theft is a serious and growing problem around the world, exacerbated by the Internet's openness and the seeming ease with which miscreants can obtain information about you over the Web. One common way by which identity thieves gather personal information is by "cracking" into computer accounts on home or work computers that hold sensitive information. Typically, thieves scan computer networks for poorly-protected computers, gain access to those computers, and then examine files on those computers that contain personal information such as social security numbers or credit card numbers. UNT is trying to reduce the risk of such theft occurring on campus by instituting additional security measures to protect our users and the campus network from such "cracking."

Over the next four months we'll be changing the way students, faculty, and staff change their passwords:

  1. We are moving to "single sign on" procedures where possible. This means that you'll only have to log into the campus portal ( for example, only once and then you'll have access to any of the services, such as GroupWise, EagleMail, and the Enterprise Information System, that are available from the portal. It also means that we're trying to assign a single user ID and password for your use across campus.

    Our assumption is that if you only have to remember one way to log into all of the systems you typically use on campus, you're more likely to remember your user ID and password and it will be less onerous for you to have to change your password. Also, if you can remember your ID and password more easily, there will be fewer instances of passwords being written on Post-it notes which are stuck to the bottoms of keyboards!

  2. We are instituting "strong password" rules that require you to create passwords that aren't easily cracked by identity thieves. We are doing this because we've had numerous instances of hacking into machines by programs that do "dictionary lookup" on common words that might be used in passwords, such as common first names or words from the English dictionary. Such programs simply try to log into targeted machines by using every word in the dictionary as the password. They also try simple variants such as adding a single digit to the ends of dictionary words. The rules we'll be following will prohibit dictionary words from being used and will require at least one upper case letter and at least one digit or special character (such as 01234$%^&*+, etc.) in your password. A very useful and informative article about password creation was published in Benchmarks Online in February ("Good Passwording.")

  3. We'll be "aging" passwords and requiring that you change your password at least every 120 days. This will prevent hackers from continuing to guess the same password over an extended period of time and will protect you if someone has stolen your password (or you've given it to someone) within the past four months. Starting around the middle of September, we'll be expiring passwords that haven't been changed within the past 120 days, on a staggered schedule based on the first letter in your user ID, and this process will finish by the middle of December. When you log in after your password has been expired, you'll be prompted to change the password before you are granted access to the system you're logging into.

  4. We'll be locking the login process if someone unsuccessfully attempts to log into your account more than 15 times within a 15-minute period. The account will be unlocked 15 minutes after the last unsuccessful login attempt. This measure will prevent the "dictionary attacks" that are described in #2 above, or at least will severely slow them down.

We're fully aware that many of these measures are annoying and to many will seem unnecessary, but prudence dictates that we do everything that we can to protect our students, faculty, and staff from the common risks that we all face on the Internet today. The goal of all of these procedures is to protect you and to make it easier for you to use the rich computer resources here at UNT.

Return to top