November 17, 2005
So It Begins
Beginning January 3, 2006, Case network ID holders will be prompted to change their passwords to conform to the standards of the quality password program. Users will be able to change their passwords through a convenient self-service online feature.A robust quality password will require the following:
Must be a minimum of eight (8) characters in length,
Must include at least three of the following four categories of characters: uppercase letter, lowercase letter, number, and
punctuation (such as #, $, !, etc.),
Must not be a dictionary word or common term (such as GoBrowns!),
Must not resemble a user's network ID or name.
Well, my current password only meets two. I guess I will have to add an uppercase letter or use punctuation. Good lucking guessing it (HINT: 7958661109946400884391936 possible combinations for my length and character set). I guess that just isn't secure enough ;)
I'm glad this is finally getting pushed through. I can't wait to see the number of calls to the Help Desk spike on January 3rd when irate staff, faculty, and students can't check their e-mail. Ironically enough, this is because they don't read their e-mail, which is because of all the crud that gets sent to case-campus...
Which leads me to my opinion of this e-mail. ITS e-mails are definitely above the average in terms of quality. Positive points for: only being sent once a month, containing short blurbs with links to more info, being relevant to me. Negative points for: no HTML presentation-- plain text is hard to read, I can't select to opt out. However, considering this e-mail reflected a policy change regarding network passwords, it NEEDS to be delivered to everyone on campus. At least it is not about a bake sale or cheap refrigerators or some entertainment book.
In related news, does anyone find it humerous that Case sent out the e-mail about the cheap refrigerators in the same week they sent one about energy conservation on campus? Perhaps RHA should discontinue their sale in favor of preventing my tuition from increasing to help pay the university's electric bill.
Trackback
You can ping this entry by using http://blog.case.edu/gps10/mt-tb.cgi/4229 .
Comments
This is the second post advocating HTML email.... I am going to come out for the other side. I prefer plain text email to HTML mail. Plain text mail loads instantaneously (as opposed to just fast), and plain text email authors tend to get to the point near the beginning of the mail, rather than including a header that needlessly fills the first screenful with a large banner image or a gaudily formatted headline. In my opinion, the recent ITS mailing was perfect - would that all mass emails were like it.
By the way, my password already meets the requirements. Score one for pwgen! (It is now firmly ingrained into my memory, though, so I hope I can keep it.)
I hate HTML email as well. I'm pleased they use plain text.
Keep the language simple. While it's great that our audience contains college students, they should have explained what "pharming" is in simpler terms.
In fact, I'm surprised they're even warning against pharming and not against phishing. In a successful pharming exploitation, it is possible to make it look like the real deal - including the padlock (SSL) and, at the very least, a self-signed certificate. There is really very little you can do to protect yourself, as the problem is not with yourself but on the DNS server. The more common attack in emails is phishing, which is detectable by the end user.
Example of phishing:
http://www.disneyworld.com
http://www.disneyland.com
Disneyland takes you to Disneyworld and Disneyworld takes you to Disneyland.
Always be on the lookout for emails that take you to addresses that are all numbers (Example: http://209.231.23.1/etc/etc) or places that aren't the site they claim to be!