How hard is it to crack a computer passphrase of 12 characters or more? Mathematically speaking, 67 million years, using sophisticated hardware, compared with 300 days to crack an eight-character password, according to Information and Educational Technology.

That, in a nutshell, is why all faculty, staff and students must start using passphrases instead of passwords by year’s end. The key differences are: passphrases are longer (ours will be a minimum of 12 characters, including spaces), and you can use words from the dictionary.

In other words, a passphrase can be a complete sentence, something that makes sense and means something to you, and hopefully, something you can remember (and no one else can figure out). The Passphrase Change Campaign website gives three examples:

• I Love My Dog.
• Aggie for life!
• FALL Quarter 2010

The password-to-passphrase switch applies to the campus authentication service and any others that use Kerberos passwords.

With an April 30 directive, IET launched its Passphrase Change Campaign for the campus authentication service, which governs access to such applications as SmartSite, MyUCDavis, MyInfoVault (faculty merit and promotion) and the wireless network.

Some people in the UC Davis community are already using passphrases: Anyone who created a computing account or initiated a password change on or after Dec. 8, 2009, and all freshman and transfer applicants for fall 2010.

But most of us are stiill using passwords — and IET is advising us to make the switch to passphrases between now and October.

Individual units may be using separate authentication services for unit applications and systems. Check with your information technology support staff to determine if you need to take steps beyond what IET has advised.

Federal agencies require strong passphrases

“Converting to a new passphrase is essential,” said Robert Ono, the campus’s security coordinator for information technology. “It will not only improve the security of campus computing accounts, it will also allow staff and faculty to access federal resources that require strong passphrases.”

Vice Provost Peter M. Siegel, the campus’s chief information officer, said campus password standards, implemented more than 20 years ago, fail to meet new federal requirements. “These requirements must be met in order for campus constituents to continue to use campus accounts to access federal agency resources such as grant applications and documentation,” he said.

Starting in October, if you have not already converted to a passphrase, IET will assign a termination date to your computing account’s password — the range of dates is approximately Oct. 11 to Dec. 3. Thousands of unconverted passwords could expire each day.

You will be reminded of your password’s expiration date every time you access a campus application that uses UC Davis authentication, starting two to four weeks before the termination. These notifications will stop after you upgrade to a passphrase.

“We really want to encourage everyone to upgrade before expirations begin in October,” Ono said. “The conversion to a passphrase is not optional for anyone for any reason. Those who don’t upgrade will not be able to access secure online campus services and resources after the December cutoff date.”

IET cautioned that it will not send individual e-mails notifying anyone of password expiration or computing account termination. As always, messages of this nature should be considered phishing scams and reported to the IT Express Computing Services Help Desk, (530) 754-HELP (4357).

Security upgrade includes new encryption

Conversion to passphrases is only one element of increased security for campus computing accounts. “Behind the scenes, as each account holder upgrades to a passphrase, the passphrase becomes encrypted using a stronger, more modern encryption type than was used with old passwords,” Ono said.

The encryption upgrade would have required a password change anyway, so, rather than change from one password to another, IET decided to make the switch to passphrases — thereby making campus computer security even stronger.

The decision, Ono said, came after a good deal of research and discussion with technologists and security experts across campus (including computer science professor Matt Bishop), and consultation with various campus constituencies.

Making the conversion

The conversion process begins here. Even though you are not technically “changing” your passphrase, click on “Change your passphrase” and follow the instructions.

As you type your passphrase, a meter will tell how strong a choice you have made: “weak” will not work, “good” and “strong” will do.

In the future, you can reset your passphrase any time you wish, from your computer, provided you know your existing passphrase or you have set up a series of security questions and responses, and you know the correct responses. If you have not already done this, you can do so as part of the process of choosing a passphrase.

“Once these questions have been answered, it’ll be easier to reset a passphrase whether it’s been forgotten or is believed to be compromised,” Ono said.

In the event that you forget your passphrase and the answers to your security questions, you will need to go to an IET-managed computer lab or seek assistance from your departmental proxy, if your department has one. Proxies are authorized to verify account holder identification for the purpose of changing passphrases.

MORE INFORMATION

Passphrase Change Campaign

This page includes the following links and information:

• UC Davis directive: Campus Computing Account Password Strengthening
• The difference between passwords and passphrases
• Creating a strong passphrase
• IET Account Proxy Program (including a list of departmental proxies who can verify your identity for the purpose of using the online system for changing your passphrase)
• Phishing scam warning

This page also includes a link to the computing accounts website, where you can:

• Set your passphrase (or change it)
• Test passphrase strength
• Configure your security questions and answers for the first time, or change them

AT A GLANCE

Password: seven to eight characters long, no spaces or dictionary words.

Passphrase: 12 to 48 characters, including spaces; dictionary words OK. No $ as the first character; no space as the last character.

A passphrase (just like a password) may include letters, numbers, punctuation and symbols (for example, #, % or +). With a combination of letters, numbers, punctuation and symbols, even a short passphrase will be stronger.

In creating a passphrase, you should avoid using personal information such as your name, login ID, Social Security number, birth date, children’s names or pets’ names — the same information that you should avoid using in a password.

Dates to remember:

• Convert to a passphrase between now and October.
• If you do not, your password will be assigned an expiration date, from approximately Oct. 11 to Dec. 3.

Questions and comments? security@ucdavis.edu