IET’s countdown clock for the switch to passphrases — required for all staff and faculty — is set to strike zero on Nov. 1.

At that time, passwords will start expiring, not all of them at once, but in batches over about a three-month period ending in early February — a time frame that is about a month later than originally announced. The password-to-passphrase switch applies to the campus authentication service and any others that use Kerberos passwords.

The campus is mandating the switch as a security measure — passphrases (a minimum of 12 characters, including spaces) are harder to crack than our seven- or eight-character passwords.

Information and Educational Technology launched the Passphrase Change Campaign in late April, encouraging people to make the switch sooner rather than later.

As of today (Oct. 15), nearly six months into the campaign, more than half of staff and faculty (more than 18,300 accounts) had set up passphrases. This figure includes anyone who, since Dec. 8, 2009, has created a computing account or initiated a password change.

Students also are required to start using passphrases (all freshman and transfer applicants for fall quarter started out with passphrases). As of today, out of 26,800 active student accounts, nearly 17,050 of them (almost 63 percent) were working with passphrases.

So, as of today, this is how many accounts still needed passphrases: about 11,800 staff and faculty, and a little more than 9,740 student accounts.

Robert Ono, the campus’s security coordinator for information technology, said 100 to 3,800 passwords will expire each day from approximately Nov. 1 through Feb. 3, excluding weekends and holidays.

Everyone who still uses a password will get two weeks’ notice of the password’s expiration date — the first notices are due out Oct. 18, two weeks before the first batch of expirations on Nov. 1.

Notice of your password’s looming expiration will appear on your computer screen every time you access a campus application that uses UC Davis authentication.

Ono cautioned that IET will not send individual e-mails, either advising you of your password’s expiration or asking for your password; as always, e-mails of this nature should be considered phishing scams and reported to the IT Express Computing Services Help Desk, (530) 754-HELP (4357).

“The conversion to a passphrase is not optional for anyone for any reason,” Ono said. “Anyone who lets their password expire will not be able to access secure online campus services and resources.”

Making the conversion

Passphrases, besides being longer than passwords, can include words from the dictionary. This means that a passphrase can be a complete sentence, something that makes sense and means something to you, and hopefully, something you can remember (and no one else can figure out).

The Passphrase Change Campaign website gives three examples:

• I Love My Dog.
• Aggie for life!
• FALL Quarter 2010

The conversion process begins here. Even though you are not technically “changing” your passphrase, click on “Change your passphrase” and follow the instructions.

As you type your passphrase, a meter will tell how strong a choice you have made: “weak” will not work, “good” and “strong” will do.

In the future, you can reset your passphrase any time you wish, from your computer, provided you know your existing passphrase or you have set up a series of security questions and responses, and you know the correct responses. If you have not already done this, you can do so as part of the process of choosing a passphrase.

“Once these questions have been answered, it’ll be easier to reset a passphrase whether it’s been forgotten or is believed to be compromised,” Ono said.

In the event that you forget your passphrase and the answers to your security questions, you will need to go to an IET-managed computer lab or seek assistance from your departmental proxy, if your department has one. Proxies are authorized to verify account holder identification for the purpose of changing passphrases.

MORE INFORMATION

Passphrase Change Campaign

This page includes the following links and information:

• UC Davis directive: Campus Computing Account Password Strengthening
• The difference between passwords and passphrases
• Creating a strong passphrase
• IET Account Proxy Program (including a list of departmental proxies who can verify your identity for the purpose of using the online system for changing your passphrase)
• Phishing scam warning

This page also includes a link to the Computing Accounts Services website, where you can:

• Set your passphrase (or change it)
• Test passphrase strength
• Configure your security questions and answers for the first time, or change them

AT A GLANCE

Password: seven or eight characters, no spaces or dictionary words.

Passphrase: 12 to 48 characters, including spaces; dictionary words OK. No $ as the first character; no space as the last character.

A passphrase (just like a password) may include letters, numbers, punctuation and symbols (for example, #, % or +). With a combination of letters, numbers, punctuation and symbols, even a short passphrase will be stronger.

In creating a passphrase, you should avoid using personal information such as your name, login ID, Social Security number, birth date, children’s names or pets’ names — the same information that you should avoid using in a password.

Dates to remember:

• Convert to a passphrase by Nov. 1.

• If you do not convert to a passphrase, your password will be assigned an expiration date, from approximately Nov. 1 to Feb. 3.

Questions and comments? security@ucdavis.edu

Earlier coverage: “Passwords out, passphrases in” (May 7, 2010)