Accounts to require passphrases

University Information Technology Services has implemented a new policy that officials say will make IU network accounts for students, faculty and staff more secure. \nSummer students that were new to IU this past summer were required to create longer, harder-to-crack passphrases rather than traditional passwords, and starting in October, new network accounts or accounts for users who wish to change their password will have to do the same.\nPassphrases are longer than passwords -- anywhere from 15 to 127 characters, as opposed to current passwords, which are eight to 14 characters -- and are usually sentences or groups of words instead of simply a single-word entry, said Tom Davis, IU chief information technology security officer.\nThere are two key risks with current passwords, Davis said. First, passwords are difficult for users to create because most Web sites, like IU's former system, require the password to include numbers or symbols in addition to letters. This leads to passwords that are not real words and are just a random combination of characters and letters, which may make it harder for the user to remember and type, Davis said. \nSecond, passwords are limited to a small number of characters. Some can be as short as six characters, making it easier for hackers to figure out. \n"These weaknesses with passwords allow malicious people to take advantage of users ... extending the length makes the passphrase much more difficult to crack." \nThe UITS Web site, uits.iu.edu, includes detailed suggestions and hints for choosing new passphrases to help users obtain more secure accounts.\nDavis said one of the most common problems that cause passwords to become a risk is sharing them with other people. \n"The problem occurs when people share their password, either with their boyfriend or girlfriend or just friends," Davis said. "Sharing a password is strictly against IU policy." \nJunior Erika Luetzow agrees with Davis. \n"I don't share my password with anyone," she said. "I also think it's a good idea to change your password often." \nDavis also said UITS is not forcing users to change from passwords to passphrases in October but added that the option is available for those who wish to do so. \n"This is something for those users who choose to visit the Web site -- passphrase.iu.edu-- and think it's a good idea to make their accounts more secure," he said.