Home

[n01]

Quoting E-mail from IT

Dear Student

Recently the University of St Andrews Network Support Team performed
security maintenance routines on the University's computer network system.
These essential procedures are implemented at selected times and include
steps to test the security of the password attached to your University of
St Andrews computer account.

During the testing phase the password for your University computer account
was identified as being unsafe, because it is too easy for a "password
cracking" computer program to "guess" it. We are asking all users whose
account passwords have been identified as being unsafe, to change them.
Please change your password within 14 days of today (5 April 2007).

A further check will be made at the end of the fourteen day period which
will highlight all those accounts that have not been altered. Accounts
still found to have an insecure password at the end of the fourteen days
will be disabled without further notice. If your account is disabled you
will not be able to access your email or use the PCs or printers in the
computer classrooms. To have your account re-enabled you will have to
visit the IT Helpdesk, which is situated in the main library building, to
change your password.

Further information regarding passwords can be obtained at the link below.
http://www.st-andrews.ac.uk/its/registration/index.html
This page provides advice on creating a secure password, and a link to the
web-page that you should use for changing your password.

Does anyone find it a bit harsh that they'd cancel your account... this hardly seems legitimate on the basis of the threat of blocking the e-mail login etc... but in it's syntax it seems pretty real. Did anyone else get this e-mail?

[househunter]

No I didn't recieve this email. probably because my password isn't password or my date of birth.

If your password is a dictionary word then it would take a hacker very little time on a home computer to crack your password.

10 digits with random numbers and letters should be fine.

[n01]

dunno, mine meets the standard set on the page they linked too... has numerals mixed in with letters. i just found it odd that they would shut down your account if you didn't change your password... was just wondering if it was a hoax.

Quoting Househunter from 12:11, 6th Apr 2007
No I didn't recieve this email. probably because my password isn't password or my date of birth.

If your password is a dictionary word then it would take a hacker very little time on a home computer to crack your password.

10 digits with random numbers and letters should be fine.

[househunter]

Doubt it would be a hoax, they've done this kind of thing in the past.

In think it was in 2003 they threatened to cut Internet access off from any student on Resnet who had XP but didn't have it fully updated.

This is all just a cull of bad passwords, they probably won't do anything, but it'll frighten a good few into changing their passwords to something other than password or their boyfriend or girlfriend's name.

[username]

How do they know if the password is not secure? Is it not encrypted? Not that it would be impossible to find out but I doubt they did this for all passwords...

[Freaker]

There are certain passwords that are easy to crack. Those are either commonly used ones (I presume there are lists about on the internet), or dictionary words. You may think nobody would ever guess a ten-letter password - but if it is a dictionary word, someone running it past a dictionary file in a password cracking program will have it in a matter of seconds. Same with really short passwords. Adding a single letter to a lowercase text password will make it 26 times more secure, not to mention adding a character and/or number somewhere.

We had good fun back in high school getting access to the school's main computer for demonstration purposes in presence of the IT staff to show him that his system was insecure. Got the password file for the admin account and ran it past a dictionary file, getting the actual password within two seconds. I hope he understood and changed it to something more secure...

As for that email - sounds harsh, especially if your password meets the standards they mention on their page. I doubt it would be a hoax, though.

[hr]

I try to take one day at a time, but sometimes several days attack me at once.

[Jono]

I tried to change my password a couple of weeks ago. It wouldn't accept my choice on the basis that it was based on a dictionary word. It was actually two words, linked, and written in L337. I guess I should learn a series of random digits then!

[hr]

http://standrews.facebook.com/profile.php?id=37105376
Exclusive to The Sinner, and all other fora.

[novium]

i hate when websites/systems/whatever back you into the corner of choosing a really stupid password. For example, I was talking to someone the other day about some bank, that for its internet banking wanted a ID password and then a secondary password, and that had to be over 12 characters long and had to be a mix of letters and numbers. That's the sort of thing that cries out for a stupid password like a birthday, address, or the like.
Or, a very hard and random password, which then will likely be written down.

[hr]

tamen ira procul absit, cum qua nihil recte fieri, nihil considerate potest.

[munchingfoo]

Quoting jono from 00:41, 7th Apr 2007
I tried to change my password a couple of weeks ago. It wouldn't accept my choice on the basis that it was based on a dictionary word. It was actually two words, linked, and written in L337. I guess I should learn a series of random digits then!

This won't work. My password for almostg everything is a series of random digits with following random letters, but it is unacceptable to the university because it doesn't BEGIN with a letter.

And..., yes, why do they have our passwords unencrypted?! Surely this is a threat of many magnitudes larger than a weak password?

[hr]

Tired Freudian references aside - your mother played my mighty skin flute like a surf crowned sea nymph trying to rouse Poseidon from his watery slumber!

[Kegrad]

I'd have thought what they would do would be to put a dictionary file through the same encryption process to be compared, or try changing passwords from the word to the word, if unsucessful, it's fine, otherwise it's a problem. (I hope that makes sense)

The thing that annoys me about the uni passwords is that the maximum size is 8 characters. If yours is 8 characters or longer, try logging on using only the first 8 characters, or adding anything extra on the end - it still works!

[thebrookster]

Quoting Kegrad from 10:54, 7th Apr 2007

The thing that annoys me about the uni passwords is that the maximum size is 8 characters. If yours is 8 characters or longer, try logging on using only the first 8 characters, or adding anything extra on the end - it still works!

God-damn it!! I have never read in detail the gumpf about creating passwords on the Uni system. I use a highly secure password of 11 digits, which now appears to be useless for the Uni system. Funny thing is, I am convinced that I used a checker program (linked from ITS password page) and it said that my password is secure. I shall have to go back and check it now!

Many thanks to Kegrad for alerting me.

[sqril]

Quoting munchingfoo from 10:36, 7th Apr 2007

This won't work. My password for almostg everything is a series of random digits with following random letters, but it is unacceptable to the university because it doesn't BEGIN with a letter.

And..., yes, why do they have our passwords unencrypted?! Surely this is a threat of many magnitudes larger than a weak password?

[hr]

Tired Freudian references aside - your mother played my mighty skin flute like a surf crowned sea nymph trying to rouse Poseidon from his watery slumber!

that's strange! mine does begin with a number and have had no probs with it

[David Bean]

Why are they so paranoid about people trying to hack the system using 133t h4x0rz tools anyway? This is a university, not the Pentagon. Sounds to me like IT Services could do with a dose of reality.

[hr]

Psalm 91:7

[Ewan Husami]

Oh Bean, no no no.

It's not like they're trying to protect our data. They're doing it to stop the servers being hacked, and then used for nefarious deeds such as spamming, or hosting illegal files.

Anyway, it's common sense not to use simple passwords - if someone works out your password for your email account, and they happen to know where you bank, they can guess at your bank account's password and empty your account.

[David Bean]

If they also have the 57 other kinds of data people generally need to hand to access their own bank accounts, well, yes, you might have a point...

[hr]

Psalm 91:7

[fluffy]

David Bean, I want to have your babies...

[n01]

Thank you David Bean

[Gubbins]

Quoting ewan husami from 18:03, 8th Apr 2007
They're doing it to stop the servers being hacked, and then used for nefarious deeds such as spamming, or hosting illegal files.

A certain major UK research facility had this happen to them only two years ago. They were not impressed.

[hr]

...but then again, that is only my opinion.

[romantic]

Quoting David Bean from 16:57, 8th Apr 2007
Why are they so paranoid about people trying to hack the system using 133t h4x0rz tools anyway? This is a university, not the Pentagon. Sounds to me like IT Services could do with a dose of reality.

[hr]

Psalm 91:7

The servers in my own department were hacked into twice a couple of years ago. Some users had entire directories deleted. Regualar back ups are made, but still a pain in the arse. I beleive one time they got into the university system through the universities catering deparement...catering had the password 'catering'.

[theflirt]

I heard they occasionally send comapnies our email addresses for research purposes (such as, do this survey so we can get an idea of how many art students want to do this job....). Supposedly they list got intercepted and they have asked the majority of folks to change their passwords, just in case!

I have been asked twice to reset it this year!!
it's now 11 random numbers!

[hr]

oh pants