- Passwords must be at least 8 characters long and can be up to 20 characters long.
- Passwords must contain at least:
- One numeric character
- One symbol character (examples: ! # $ @ % ^ & ? +)
- One upper case character
- One lower case character
Similar security policies have been in place in many organizations for a long time and are perceived to make our systems more secure, yet it does ask the question, is there a specific security vulnerability or attack that this is designed to counter, or are we just following the procedure because "it's the way it has always been done"?
There is an ongoing debate between which is more secure, requiring more frequent password changes or enforcing a really strong password requirement but not requiring users to change it.
The same arguments are used by both sides:
Frequent changes will certainly makes sure that half the office has stickies with their password on their monitor or under their keyboard.
Requiring really strong passwords will certainly make sure that half the office has stickies with their password on their monitor....
Frequent changes will make users use the weakest password they can use and still meet the requirement while adding a rotating number to the end that changes every expiration.
Really strong passwords will cause more uses to use the help desk and password reset
The arguments go on and on.....So what are your thoughts? Which approach is safer?
Personally, I think the really strong password requirements and less frequent changes is a better approach. A person will come to memorize there password and will not need to write it down. The constant changing of the password is what forces people to forget it and have to contact the help desk to reset it. Having to change the password does force people to change only 1 digit of the password at a time which seems to defeat the purpose to begin with. I know a majority of TCNJ students use this tactic because I have discussed t in passing with many peers since the new rule was implemented. Assuming both options are secure and viable options implementing strong passwords with less frequent changes seems to be more convenient and logical.
ReplyDeleteI believe that with the advancements in technology in today's world, if a hacker would like to get access into your personal files, he could decipher any password. Frequent changes, even if it is sometimes changing one number of your previous password, could make the difference. I say this because putting a time restriction on passwords also sets a time restriction on hackers, making it more difficult.
DeleteYasmin Brea
Jasmine Beltejar
DeleteI agree with Yasmin that the frequent change of passwords seems best fit to best protect oneself. Though I can understand Christiana's argument that the enforcement of constantly changing passwords causes people to forget it; similarly, it may not even make a difference given some people only change one digit, not using the opportunity to make the strongest password. Yet, Yasmin is right to say that a hacker could discover any password. The only way to prevent this possibility is frequently changing one's password. However, to better the system, people should be more aware and knowledgeable of how to create strong passwords. To Christiana's point, if the person merely changes the password by 1 digit- it is not effective. Through being more aware of protecting one's cyber identity, only then can people truly care to make a password that is effective and memorable.
I think if a hacker was desperately trying to hack someones account 90 days would be more than ample time to do so. My concern is that the argument to say that the hacker will have difficultly hacking an account that 1 digit changes every three months seems irrelevant. I am not technologically savvy or accustomed to hacking techniques so if it does take a hacker well over 90 days to hacks a single account then yes I would be more willing to support the opposite argument.
DeleteI believe that requiring really strong passwords is the best way to go. When we’re required to change our password frequently people will just make them as simple as possible. But, if you require really strong passwords, even though they may cause a problem at first, people will eventually come to remember them like they do with any elaborate number or code they have experienced in the past. I don’t know enough about computers to know which is definitely safer but I do know that people get way more aggravated at having to change passwords all the time than they do if they just have to create one abnormal password.
ReplyDeleteThere is one issue though with the really strong, one-time passwords. That is that since it would be bound to satisfy any website’s minimum requirements, it may become the only password that people implement. At that point the strength of the password is diminished because like we went over in class, if someone is able to obtain it from one website, then they’ve got ‘em all. At the end of the day, it is way easier for people to be reactive rather than proactive and until they experience a direct attack from a weak password these requirements will always cause an aggravation.
Olympia Lagonikos
DeleteI agree with longer passwords being better than frequent changes. I also agree that, while a problem at first, will be remembered in the long run. When writing my response, I did not think of the one password being used over many sites. However, even though that password might be used in multiple sites, it would be very hard to initially figure out.
Olympia Lagonikos
ReplyDeleteHaving really strong passwords with less frequent required changes is the best way to go. In class, we spoke about how hackers take a very long time to figure out even the shortest passwords. If passwords are lengthy, with random word/letter combinations, with capitals and symbols in them, the passwords would be very hard to guess. While a complicated password could call for a sticky note on a monitor, the fact that it won't be frequently changed will enable the user to remember the password, not needing the sticky, and be very secure. Changing a password very frequently usually calls for very short, simple passwords that usually have a meaning to it's user so they can remember it. The passwords may not differ greatly between the changes. For example, a password can be Password123! and after the 90 days can be changed to Password123@ and be considered new. Having a long, complicated password is definitely the way to stay secure.
I agree with your argument, but I feel that the time you have a sticky on your monitor while trying to remember your password can leave you vulnerable to nosy friends who want to log in to your account to see you grades, for example.
DeleteLeo Yang
Josh Garzio
DeleteI agree for someone to get into your account through hacking would take forever even with TCNJ's password strength policy right now. If they were to raise the standards a bit more for password strength they could definitely lower the time needed to change it; if they even needed to change it at all. I feel that changing it every 90 days like they do now is just unnecessary.
There is no one side which is right to this argument. Strong passwords will take longer for a hacker to hack into, but is harder to remember, so you might write it down on a sticky somewhere so you don’t forget. Whoever sees this sticky will know your password and get into your account with ease. Changing passwords frequently also makes it harder to remember, which makes you do the same thing, and get hacked just as easily. The chain is as strong as its weakest link. And in these two cases, the weakest links are the sticky notes you write down to you remember your passwords and the strongest links are strong passwords and frequent password changes. How do we strengthen this link? The answer is to join the two chains and weaken the two strongest links in order to strengthen the weakest link. To create a password that is hard to hack into, you have to find the balance between difficulty and frequency. You have to create a password that is moderately hard for hackers to hack into, yet easy enough to remember that you don’t have to write it down somewhere and get your account hacked. For example, you can require an 8-20 character long password that contains: a numeral, a lower case letter, an upper case letter, but not require a symbol to be in your password so it’s not too hard to remember. This way it you won’t be tempted to write your password down somewhere. Also, you can lengthen the effective days of a password to once a semester so it’s easier to remember. With these two combined, you can create a strong enough password that hackers won’t have enough time to hack into, and easy enough to remember that a nosy friend won’t stumble upon your password and use it to log in to your account.
ReplyDeleteLeo Yang
I believe that the TCNJ password policy is very effective. TCNJ’s password policy is a very good security practice and should be embraced. This security practice allows for the periodic changing of password to ensure the protection of all private documents. Changing the password periodically will make certain that any hackers will not guess the password since it is ever changing. This is a great idea because being college students and being overwhelmed with many things at the same time, I believe that easy passwords will be made that will be easy to hack. Requiring students to change their passwords will require students to think of good passwords that must include capital letters, numbers, cannot be the same as the previous, etc. Having one very good password is not a good idea because in today’s day where technology is very advance, passwords can be easily discovered. Therefore changing it periodically is better since it gives hackers a limited time frame to discover the encrypted password. Though temporary passwords are very tedious it is safer and should be followed. We must continue to follow these policies because the privacy of our hard work and effort is in jeopardy and we have the right to privacy and property, especially when we work very hard on assignments.
ReplyDeleteYasmin Brea
Andrew Katz
DeleteI understand your point on this issue of password protection, but I’m against your stance. Changing passwords constantly ends up making the passwords shorter, and most of the time weaker. This may just be my situation, but all of my passwords are very similar to the old ones. As you mentioned, college students don’t have that much time, so when forced to constantly change their password most of the time the passwords are quick and easy to remember. These passwords, even though expire after 90 days, are easier to hack into then longer passwords. If it takes a skilled hacker roughly a few months to get into a good password, it could take them weeks to get into an easier one.
I agree with Andrew's rebuttal that people choose weaker passwords when they are forced to change them due to the convenience of it. Hackers are skilled and, yes, will probably have an easier time breaking through a weaker password. This is why I believe that one strong password is sufficient for a while, and if someone feels they need to change it, they can do so on their own.
DeleteAndrew Katz
ReplyDeleteI believe that the best approach to security is by requiring long passwords that you change less often. This allows the user to memorize their password, and be able to remove any “ sticky notes” that they may have to help them remember their password. Also longer passwords are, for obvious reasons, tougher for hackers to get a hold of. As we mentioned in class, long passwords take months for a good hacker to get a hold of. Changing passwords constantly is also a big annoyance to the users, and typically ends up making the passwords a lot weaker then they would have been if it were required less. Specifically using TCNJ’s password policy, because we are forced to change our password every 90 days, I make my passwords relatively easy to remember and type. All of my passwords have been relatively similar to the old one with just one small change. These shorter passwords are easier for hackers to get, and this is why longer passwords are better.
I agree with your point on the sticky notes, if a user only has to adapt to one long password..they will eventually have it memorized and be able to rid their space of that sticky note. A constant update may make it more complicated for a hacker to break into the system but much easier for someone who shares the same office space, for example, because the password could be laying right in front of them and then accessing any accounts can happen without any computer tracking.
DeleteMarty Costello
DeleteI understand your point that a very strong password is better that a series of weak and hard-to-remember ones. However, even the strongest password can be eventually cracked by a hacker. Although many people only slightly alter their password, this actually has the advantage of frustrating a hacker and preserving and easily remembered password. For this reason, I think that frequent changes are preferable, even if passwords are barely altered.
I think having one password and making it as strong as possible is a better method because it would get out of hand for users to have to remember a new password every time they update it and going off of hat, if that password has to have certain requirements and has to be constantly changed, users will forget there passwords more often. I think the one password method is better because for those users who would like to be over active on their security, they have the ability to change their password however often they please. Making the change mandatory isn't so much appropriate because each users privacy is up to them. If they don't care to make complex passwords to protect themselves in the first place, then the aftermath is their fault. It's impossible to protect everyone, some ownership has to be taking and the users should take it upon themselves if they want to continually updated their security and privacy.
ReplyDeleteI completely agree with you about having to remember multiple passwords is difficult enough, but when you add in the idea of having to remember multiple possible passwords for just one site out of many, it becomes to much of an issue and I feel like it discourages people from creating strong passwords in general as they will most likely just make an easy one to remember and possible get hacked. I also agree with the idea of having it be on the clients behalf if they elect to not change it so often, it should be recommended but not mandatory
Deletegeoff longmuir
Jasmine Beltejar
ReplyDeletePasswords are meant with the primary goal to protect one's identity. Too many people may associate and devalue their password as something that they must remember. Yet, the possibility of hackers is very real; individuals should be more aware of their vulnerability online. Also, given the unpredictability of when a hacker may try to access your information, I suggest that the solution is to frequently change one's password. This is the safest and most secure way to ensure you are safe. A hacker can access your password given today's advanced technology. It is easier to be vulnerable online. Yet constantly changing one's password to passwords that are strong is the only way to protect yourself. Individuals should be more open to the concept of what constitutes a strong password as well.
Ali, I agree that having one very difficult password is a better approach. Although, I have been apart of systems that have made a person have extremely difficult passwords and still change them every three months. For example, the military's online paying site (MyPay) made me have a 16 digit password with 4 numbers, 4 capital letters, and 4 symbols. I made it something I could remember then rotated the symbols I used. For this type of site I did not mind changing the password because I knew it dealt with a lot of sensitive information. But for other sites i find the process to be annoying because the information the password is guarding seems to be frivolous. But as I have learn in class that gaining access to own site can allow a hacker to gain peanuts on a trail to access more important information. So for me the jury is out, I think a person should be cautious of there online footprint and the passwords they use.
DeleteMarty Costello
ReplyDeleteI think that frequent changes to passwords with strength requirements are the best policy. The post points out that people with have written copies of their passwords in any scenario, so frequent changes will not exacerbate this significantly. Although users may only change small details of their passwords, the strength requirements will ensure that these passwords are still robust. Think that explaining the nature of password strength to users instead of only requiring certain elements would help them to choose stronger passwords and to protect themselves. Frequent changes seem to be the best way to frustrate hackers and protect user accounts, as long as these passwords are strong.
Josh Garzio
ReplyDeleteIn my opinion keeping the same strong password the best approach. When you look at the pros and cons to both sides it makes more sense to use this approach to me. Changing a password every 90 days is a burden. You have to go through the process of changing it or else you cannot get into your account. And on top of that you have to think of another secure password and memorize it every 90 days. If you can create a password that is almost impossible to guess and is kept secure by only using it for school purposes, than changing it is not needed. What would probably work best is to raise the password strength standards and require a password change once a year instead of 90 days. That way it isn't as much of a burden but will still make the account safer.
Mike Ballou
ReplyDeleteHaving one strong password that never changes is the best approach. I know myself and many others who solely change the number in their password every time it expires. Having one extremely strong password that only needs to be memorized once is a much better approach. Most people will be able to remember one password without leaving it written down at their desk. However, when the password frequently changes it becomes difficult to remember what your current password is.
I agree that having one solid, strong password is better. Although it may be safer to keep rotating passwords, there is only so much you can remember and so many variations you can use of the same easy to remember password. As long as your current password is strong and meets the requirements of having at least one letter, special character, uppercase, number, etc,, i don't see the absolute need to change it once every 90 days.
DeleteJordyne Chanley
ReplyDeleteI think that frequent changes will be more efficient than strong password requirements. People have so many different accounts (Facebook, personal email, school email, online banking, etc.) and therefore have the opportunity for many different passwords. Most people (myself included) utilize the same password over and over again to ensure for proper memorization. But this leads to the problem that just recently occurred with the Heartbleed bug where people were at risk of stolen information. People were encouraged to change their password accounts in order to not be affected, therefore if their passwords were routinely changed you would be in less danger for hacking, and creates less of a pattern for the hacker. Although frequent changes are quite inconvenient I believe they provide more online security.
Samantha DiGrande
ReplyDeleteThe safer route is definitely to change your password every 90 days. While I know that I myself only change the numbers involved, it still makes it more difficult for hackers to gain access. Requiring really strong passwords would only guarantee that people have to write it down somewhere. Changing our passwords every 90 days is somewhat inconvenient, but when you compare that to the importance of keeping your account protected, the benefit clearly outweighs the negatives.
I don't quite agree with your assumption that the frequent, smaller passwords are better. Not many of us truly know how hard it is to hack something and considering how often there are cyber attacks I truly doubt one is far superior than the other. One of the interesting things I think the mandatory password changes do is that they give people false senses of security. If a basic password can't protect us then I doubt a basic password every 90 days is that much better. I would say the safest route is just to use as many different passwords as one can without hassle and use the internet with discretion.
DeleteJordyne Chanley
DeleteI agree that frequent changes of passwords is more secure. By constantly changing the password it allows for less utilization of the same password which will avoid hackers from seeing the same pattern of criteria, and hopefully the passwords become more random an not so personalized which will also make it harder to crack. It is inconvenient, but I would have to agree that online security is more important than my comfort.
Geoff Longmuir
ReplyDeleteWhen it comes to the idea of password security, the longer and stronger passwords are the route to go. Keeping a password constantly changing may seem like a good idea to keep hackers guessing, but honestly mandatory changes that are forced upon the client usually make them not try very hard in developing a strong password in general and rely more on the password changing than the password strength itself. What I mean is, it somewhat enables people to create less strong passwords from the start, and if you don't start with a strong password each and every time then a hacker will have no problem gaining access no matter how many times you change it. The longer and stronger passwords that do not require as much change encourage a strong password from the start that will make it more difficult for a hacker to gain initial access, I feel like unless you are a big time ceo or political figure, a hacker would rather go for an easy score with an easy initial password rather than the daunting task of a really strong and secure one. It is a proper balance of security and convenience for the client that also caters to the human element to it all.
Mike Ballou
DeleteI agree that stronger passwords are more important than frequent changes. Password strength beats frequency of change. Also many people only slightly alter their password to make it easier to remember which creates another problem.
I believe that it is a good thing that TCNJ is trying to protect our privacy and give us security by making us change our passwords every 90 days. I had thought, before reading some of these comments, that this was just a tedious repetitive thing that no one really took seriously. I don't think that people realize how important having a strong password is because no one ever thinks that hacking or anything like that will happen to them. I'm not positive if TCNJ has a requirement to protect us like this or if they are just doing it to help us, but either way it is something that most people would probably never think of. Also, we wouldn't know this without any data, but this new practice may have actually decreased the amount of hacks and privacy breaches that have occurred on campus. I do think that a sold, strong password that meets all criteria should be efficient; however, as I have read these comments, I have learned that changing your password, even slightly, may confuse a hacker which benefit's everyone's privacy in the long run.
ReplyDeleteI do agree with you that a strong password is important but I feel that it is often times not needed to create a new one so often. One strong password is enough to keep most people safe. I do believe that each account should have its own password in order to ensure that accounts cant be hacked together. However, one strong password per account should be more than enough to keep accounts and information safe. -Mina Himaia
DeleteZach Sedarat
ReplyDeleteThis debate is definitely one that I would have to refer to the expert opinion. I do not know enough about cyber security to truly establish a definite answer, but I see both sides. Although longer, more complex passwords may be harder to memorize, I believe it is the responsibility of the account owner to safeguard their information. Shorter passwords may be more convenient, but they seem very fragile and risky after learning all of the new information about hacking in class. In this case, I would follow the recommendations of the administration. As an analogy; if car locks were becoming easier to "hack" then I would probably follow any recommendations from Jeep to change or upgrade them. If changing my password every 90 days will help ensure my online security then I personally do not think that it is too much of a hassle to be responsible for recording my information in a secure location in order to remember.
I think requiring a one-time strong password is safer than requiring frequent password changes because frequent password changes cause people to use the method of changing only the last number, essentially rendering password changes useless. In this way, students might as well be stuck with simple long-time passwords because changing a number at the end is not going to deter a hacker. Also, I don't think people would necessarily write down their password in order to remember it. A password should be something that can be easily remembered, and I think it's possible to remember a difficult password without having to write it down. If a person picks their favorite quote from a movie and turns it into an acronym, they can create a password that will be easy to remember and will not easily be guessed by a hacker. For instance, if you really like the 2002 movie Spiderman, and you think the quote "With great power, comes great responsibility" is awesome, then your password can be wgpcgr!2002. This way, you have a difficult to guess password and you can easily remember it.
ReplyDeleteJordin Robinson
ReplyDeleteI believe that having a more frequent password is safer than a creating a very difficult password. Most people that intend on misusing various computer accounts tend to have very slow working programs that are fairly inefficient in deciphering passwords. Given the long time period it takes for the programs to work, the frequent password changes will often erase any previous successes. Some passwords that don't have to be changed may be relevant to a person at a time, however if it is not committed to memory, forgetting the password is an often circumstance. Having frequent changes allows people to make passwords that are relevant in the present and provide less chances for forgetting the password in the future.
Will Sulpizio
DeleteI never considered the idea that because people are forced to change passwords more frequently they will choose more meaningful passwords. However at certain point I believe you would have to run out of meaningful passwords to commit to memory. I agree with your point that deciphering passwords take time and the stronger they are the longer they will take. For this reason I would propose people should be forced to create stronger passwords but less frequently.
The idea of changing a password every 90 days may seem appealing but realistically it comes with a few problems. Running through many passwords can often cause people to forget their passwords. On top of that not all passwords will be equally strong. Having one strong password will be easy enough. there is no risk of forgetting a password if it is a strong one. I do agree however that important accounts should not all be under the same password. - Mina Himaia
ReplyDeleteJordin Robinson
DeleteI believe such an idea is not complete in thought because even though it may be a burden to change the password frequently, I believe that the overall security of the changes counteracts this. Sacrificing burdens for overall saftey and security seems like a decent trade-off to me.
Will Sulpizio
ReplyDeleteI believe that changing your password every 90 days is Hassel some and unneeded. If students and staff were required to create stronger passwords and change less frequently the same goal would be achieved. This would decrease the number of students and faculty who would write passwords down in order to remember their new ones. At the same time because the passwords are stronger they will still be just as secure. In conclusion I would propose students and staff members only have to change their password every 3 semesters and in turn must create stronger passwords.