Passwords

1 About your Engineering password

This section explains what your "Engineering password" is, and how to change it.

1.1 What is your Engineering password?

The College of Engineering provides a computer account for all Engineering students, faculty and staff. Your Engineering password is the password associated with this account.

Your Engineering account, and password, are entirely separate from your University account. They are two separate systems. When we need to stress this distinction, we sometimes refer to your Engineering account as "your College of Engineering computer account".

Many Engineering departments provide computer accounts for their own department members. These computer accounts are also separate from your Enginering account. However, some Engineering entities (BAE, ChE, CE, Dean's Office units and ECE) use the Engineering password system on their computers so your Engineering password is also valid for accounts in those departments and units.

1.2 What are the rules for Engineering passwords?

Your Engineering password can be anything you choose, as long as it meets these criteria:

  • it must be at least 7 characters long.
  • all printable characters are allowed. Spaces, tabs and other non-printing characters are not allowed.
  • it must be a password you have never used before on our system.


You may, if you wish, use your KSU eID password as your Engineering password. That is your option - you always control what your Engineering password is. K-State eID passwords meet all the requirements above.

1.3 Changing your Engineering password

There are several ways to change your Engineering password. Here are the self-service ways:

  • Use our password change page, at http://password.engg.ksu.edu, to set your Engineering password to be the same as your K-State eID password. All you need to enter is your K-State eID and K-State password. This will work even if you do not know, or have forgotten, your Engineering password, or have never logged in to your Engineering account and wish to access it for the first time.
  • When you are logged into a CECS-managed computer, enter CTRL-ALT-DEL (press these three keys at the same time) to bring up the security dialogue box. Click "Change Password".

 For assistance with any password problem:

  • The CECS support center in Seaton 30 can help you during weekday hours, 0800-1200 and 1300-1700.
     
  • The Fiedler Library librarians can help you during weekday hours, 0800-1700.
     
  • During evening and weekend hours, our student consultants on duty in our computer labs (Seaton 54, Fiedler 1092) can assist you with any password problem.

You must have your K-State ID card with you, or your driver's license or a passport. For your protection, we require proof of identity to ensure that only the account owner is given access to their account.

1.4 How secure is your Engineering password?

In comparison with most other computer systems, your Engineering password is extremely secure.

  • Your Engineering password is transmitted and stored in encrypted format, not in plain text. Whenever you enter, create or change an Engineering password, it is immediately encrypted using a one-way function, right on the machine you are using, and the unencrypted password you typed is immediately destroyed. Only the encrypted Engineering password is transmitted from your computer to our authentication system. When you set or change your password, only this encrypted form is stored. When you login, our authentication system receives the encrypted version of the password you typed and compares it to the encrypted password associated with your account.
     
  • Because your password is kept only in encrypted format, our computer staff, even with full access privileges, cannot look up or view your password. This protects the confidentiality of your password.
     
  • Your encrypted password is stored in a database, in a way that makes it difficult to access. There is no file of passwords that can be stolen or copied for off-line attacks.
     
  • Your Engineering password can be as long as you like. Longer passwords are more resistant to attacks because the search space of all possible passwords is larger.
     
  • Our authentication system has an "intruder lock" feature that will lock your account for 15 minutes if there are three successive failed attempts to login. This protects you from password-guessing programs or people, who hope to discover your password by trial and error.

2 Why good passwords are important

We are very concerned about security - not only the security of our computer systems, but also the security and safety of the people who use those systems.

Passwords are a very important part of our security structure, and they are important to you. They provide the following functions

  • Authentication: In the electronic world, how do we know someone is who they claim to be? If your password is a secret that only you know, then providing that password establishes your identity. If your password is compromised (known to others) then no genuine authentication is possible. Valid authentication is the key to the other security functions listed below.
     
  • Access control: your password protects your access to computer systems, network information services, printing services etc. that you are entitled to. It makes sure that others do not have access to your personal data or computer files.
     
  • IT infrastructure/system protection: An attack on a computer system or a network will usually be more successful if done from inside. Attackers will look for weak passwords in order to gain initial access to a system. Strong passwords help to deny access to attackers.
     
  • Identity protection: Anyone who knows your password can assume your identity, since they can authenticate as you. They can perform any act electronically that you could perform. What if someone sent abusive email to your instructors from your account, in your name? Or threatened the President of the United States? Identity theft is a growing crime category. Strong passwords help to safeguard you from this threat.

3 Choosing good passwords - and using them

 "Sure, I use my dog's name for a password.His name is Aq!z73#H, and I change his name every 90 days"

This quip illustrates some of the basics of good password management: don't use any information about you that someone else knows; choose a string of characters that is very hard to guess; change your password frequently.

If only it were that simple!

In this section we offer suggestions for managing your passwords: how to choose them, how to safeguard them, how to keep track of them, how to retire them.

Every password has a life cycle. You choose a password, you use it for a while, and eventually you change it. Password security begins with making good initial password choices. All other security considerations mean nothing if you choose a weak password.

K-State has some helpful on-line information on choosing good passwords. Rather than duplicate their suggestions, we suggest you check out https://eid.k-state.edu/eProfile/jsp/faq/password.jsp#choose

Now here are some additional tips.We list them briefly, then explain in more detail.
  • Personal phrases can make good passwords
  • Don't use a K-State password on a non-K-State system
  • Use a variety of passwords with different security functions
  • Use only throwaway passwords on systems that store passwords in clear (unencrypted) text
  • Use only throwaway passwords on sites that do not encrypt your authentication session
  • Don't use variations of the same password on different systems
  • Do write your passwords down - but in a secure way

3.1 Personal phrases can make good passwords

Here are a few examples of how personal phrases can be turned into passwords:

  • My parents were married in Phoenix, AZ --> MpWMiPAZ
  • My Mother loves to cook Italian food --> MML2cIf
  • I used to live on Walnut street --> Iu2LoWs
  • My great-grandmother loved to make quilts --> mGGL2mq
  • When I was 9, my dog ran away --> Wiw9mdra

These examples illustrate a simple idea. The space of personally meaningful phrases is huge, and the same thought can be phrased in many different ways. It is very difficult for an attacker, even one who knows you well, to guess all possible forms of meaningful phrases and how they might be rendered as a password.

3.2 Don't use a K-State password on a non-K-State system

The passwords you use on K-State systems may be compromised if you also use them on non-K-State systems. Don't risk the security of your K-State account by using a familiar K-State password on non-K-State systems.

Here's the problem: you have no way of knowing how securely your password information will be managed. For example, some financial service companies have kept customer passwords in clear text (!) which means your password is visible, without decryption, to employees or customer service representatives. Companies like these are using one of the very worst password security practices.

So: Don't use K-State passwords for bank account passcodes, internet site passwords, credit card or ATM card passwords, etc. This is a risk you just shouldn't take.

3.3 Use a variety of passwords with different security functions

The use of passwords has exploded in the last few years as many internet services require users to authenticate. Financial services, email services, information services, websites, portals .. these are just a few examples of services that rely on passwords to authenticate users.

Before this explosion, the classic advice was to use a different password for everything. That's still good advice but is almost impossible to do in in practice. Requirements to change passwords frequently compound the problem.

A good compromise is to use a handful of passwords with different security functions. Work out a personal scheme for yourself, perhaps something like this:

  • HIGH-LEVEL PASSWORDS: for your banking, other personal financial services, or anything else where security is very important. Any password which gives access to personal information about you, allows someone to act in your name, allows financial transactions or purchases, or allows the assumption of legal obligations, deserves high security. WORK AND PROFESSIONAL PASSWORDS, such as your K-State passwords, fall into this category.
     
  • LOW-LEVEL PASSWORDS: passwords in this category are close to zero security, with no significant consequences if they were known to other people. Examples are websites that ask you to register to receive information (newspapers) or some small service.
     
  • MEDIUM-LEVEL PASSWORDS: This is the hard-to-define, somewhere-in-between level. These could be for websites you use frequently, chatrooms,... uses where security breaches would not have catastrophic consequences.
     
  • THROW-AWAY PASSWORDS: These are "zero-level", sacrificial passwords. Use these when you believe compromise or disclosure of your password is likely, or when exposure of your password would be of no consequence. One example: some email lists will mail subscribers a "status reminder" once a month, with their password (in clear text). Because they store and transmit passwords in clear text, you should use a throwaway password.

3.4 Use only throwaway passwords on sites that store passwords in clear (unencrypted) text

You may be surprised to know that some companies (including banks, credit card companies, and other financial service providers), and some internet sevices, store your password in their systems in clear, unencrypted text. This means that employees have access to your password, or your password could be stolen by internet site crackers. Some email list services periodically mail you subscription status reminders, with your password helpfully listed(!).

Companies may do this in the mistaken belief that this provides better customer service. And unless the company discloses their password management practices, as we do (section 1.4, above) you may not be aware of their poor practices. Our advice: whenever you know or suspect that a company uses poor password security practices, use a "throwaway" password.

3.5 Use only throwaway passwords on sites that do not encrypt your authentication session

Most web sites will provide a secure (encrypted) session when you enter your login identification and password. K-State's Webmail and KATS services are examples of this. This means that the authentication dialogue is encrypted as it passes through the internet, protecting your personal information from exposure.
How can you recognize a secure (encrypted) session?

  • You will see a small "closed padlock" icon in the browser to confirm that the session is encrypted.
  • The web page URL will begin with "https://" (secure HTTP) instead of "http://"

If the web site does not provide a secure encrypted session, your password or other confidential information is at risk.

3.6 Don't use variations of the same password

You may be tempted to use variations of the same password on different systems, for example

  • ex27ksu .... for your central K-State computing account
  • ex27engg ... for your College of engineering account
  • ex27msn .... for a msn email account

That may make your passwords easier to remember, but if a single password is compromised, the other passwords are easily guessed.

3.7 Write your passwords down - SECURELY

Once upon a time our advice about password security included this statement: "Never write your passwords down". But this advice is almost impossible to follow today, when you may have dozens or hundreds of internet-accessible services you use, with a bewildering variety of login names and passwords.

Better contemporary advice would be "Write your passwords down - securely". In fact, because your login name will probably vary from site to site, you need to write down the login name-password pairs that you use for various services.

One way to keep this list secure is to choose a "master password" (or passphrase) that you use to encrypt your list of login name-password pairs. Because this is the "key" that unlocks all your other passwords, it should have the highest security. It should be the one thing you will always remember, will never need to write down, will never disclose to anyone, and which no one else could possibly guess.

Modern encryption algorithms based on long keys (from a long pasword or passphrase) are nearly unbreakable. About the only thing that seems to work is to exhaustively try every possible key in the key space; some key spaces would take billions of years to search exhaustively.

This level of security has two interesting consequences.

  • The security is so strong that you need have no great concern about copies of your encrypted password file falling into other hands. You can leave multiple copies lying around in convenient locations if you wish. If you really believe in the strength of the cryptography, you can make it conveniently downloadable from a web page, giving youself (and the whole world) convenient access from any location.
  • But... If you ever forget your master password (or passphrase), your information cannot be recovered. You are in the same position as everyone else who does not know the master password.

We recommend the free program Password Safe, which can store your passwords safely in encrypted form, revealing them only when you enter your master passphrase. It was originally written by Bruce Schneier, CTO of Counterpane Security, and uses his open-source, highly secure Blowfish algorithm. Bruce's Password Safe page has more details, and links to download his classic version or the newer open-source version from SourceForge.

We recommend using a newer version of Password Safe, available from SourceForge.Go to the project page http://sourceforge.net/projects/passwordsafe and follow the "download" link for the current version.

CAUTION: many password vault programs available for free on the internet have been named "Password Safe" by their authors. If you want the version we recommend, be sure to get it from the Password Safe project at sourceforge.net.

4 How to keep your passwords secure

Your passwords are secure as long as no one else knows them. Even if you have chosen strong passwords (ones that are unlikely to be guessed), you should observe good practices to preserve their secrecy throughout their lifetimes - that is, until you change them.

  • Choose strong passwords
  • Do not reveal your password to anyone
  • Do not let anyone observe as you type your password
  • Use only secure/encrypted connections to authenticate
  • Try to not use the same password for several applications
  • If you write down your passwords, encrypt them electronically
  • Use a spyware-free computer to enter sensitive information