Technical FAQ for Passwords

(The following questions and answers contain technical jargon.)

Why must passwords be at least 15 characters long to be secure?

ITS has engineered its network to virtually eliminate the transmission of unencrypted (or plaintext) passwords. In many instances, the entire network session is protected via strong encryption such as SSL. In some instances, the session is not encrypted, but the password is protected with one or more cryptographic hash. At this time, the hash which appears on our network is an older version of NTLM.

NTLM is relatively weak. Software is widely available to reveal NTLM-protected passwords with 7 or fewer characters, and 8-character passwords made from digits and either all uppercase or all lowercase letters. Other software can reveal passwords which may be longer but that are based on large dictionaries of words and phrases, or that are too repetitive. NTLM hashes with these sorts of passwords take minutes to break, not seconds. Our password-changing page includes software (cracklib) to prevent users from picking passwords that will be easily revealed by these programs.

Don’t these password-cracking programs have to try accessing my account, which seems to block access when I type my password incorrectly too many times?

No. These programs work by identifying the password hashes on the network, and then analyzing the hashes to reverse-engineer the original password. Or, if your computer becomes infected by a virus, they may be able to find these hashes stored on your computer. The programs do not attempt to actually log in until after your password has been revealed.

How can they identify the password hashes on the network? I thought our network was secure? Can’t you make it secure?

First, you aren’t always using a computer on Carleton’s network. You and your laptop may be using the wireless network at one of the local coffee shops. Or you may be at home using your Cable TV modem and sharing a connection with other computers. ITS has no control over those networks. We hope they are all secure, but we expect that some of them are not.

Off-campus access is something we have to generally pay attention to, but isn’t really relevant to these new changes. The protocols that would use these weak hashes are blocked at our border with the Internet.

But even when you are on Carleton’s network, it isn’t as secure as you might hope. Despite our best efforts, past experience tells us that the Resnet has at least a few compromised computers on it at all times. Every few months we also discover compromised computers on the academic network. Sometimes they are owned by a student or an off-campus guest.

Because it's impossible to guarantee that your password is always being transmitted on a completely secure network, we need to ensure that the password you choose is secure, in order to adequately protect your personal and institutional data.