Earlier this week, everyone who was still using a noncompliant NetID password was informed that they must create a better password, or else. The "or else," is that they will lose access to all the university IT systems that require NetID and password for access.
Some may not notice right away (maybe never) that their old, noncompliant NetID password has been deactivated. We only know for certain that there are about 19,000 passwords that are not compliant with the requirements of the university's password policy. Many of those belong to students.
The UW-Madison password standard is fairly straightforward. It requires a minimum of eight characters. (Many more if you desire — up to 35!) The password must contain characters from at least three of the following categories: uppercase letters (A-Z); lowercase letters (a-z); digits (0-9); and special characters (@#$%). Passwords must not contain a common proper name, login ID, email address, initials, first, middle or last name. That's about it.
My guess is that the enforcing NetID password policy will provoke some pushback from those who don't want to change their passwords and don't believe that they should be forced to comply with this fill-in-the-blank policy. Recent candidates for the blank that I have heard include: senseless, stupid, useless, oppressive and discriminatory. The last word in this list worries me more than all the others combined.
Is the policy discriminatory toward people who might have difficulty remembering or entering a longer and more complex password? I am nearly certain that it is not.
Complying with the password requires neither manual dexterity nor an exceptional memory. In fact, a minimally compliant password is easy to create and, at the same time, much harder to crack. Even a simple strategy like lengthening a password with a few random characters adds exponentially to its strength.
Neither does a compliant password require complex keystrokes. For example, repeating characters or using simple keyboard patterns are all perfectly acceptable strategies for creating good passwords.
People who can't remember a longer password can simply write it down and store it in a secure place. I do this myself because I don't want to use one password for everything I do online. And, I want to change my passwords more regularly. Writing down passwords isn't especially risky if they are stored in something you have with you most of the time — like a wallet.
Data breaches and compromised computer systems have become a nearly daily occurrence at American universities. Loss of restricted personal data can be devastating to the victims and expensive for the institution. There's no way around it. Improving the university's IT security has become important, urgent and everyone's responsibility.
Better passwords improve the security of UW-Madison's IT systems at low cost. By contrast, fixing security problems after they occur can be both complicated and expensive. The security benefit of stronger passwords is well worth the trouble and inconvenience of requiring compliance with university policy.
So ready or not, the moment to require better passwords has arrived. If you lose access to the systems that require the NetID password, you will have to go through the "Activate My NetID" procedure on the My UW website. If you have trouble, the DoIT Helpdesk has friendly and supportive staff on call to guide you through the process.
Tips for Tougher Passwords
Collide common words that are meaningful for you, but hard to guess. For example: OPAL#blue
Spell and capitalize creatively. For example: UForEahBlooz
Mild dyslexia works well in a password: e.g., replacing E with 3, d with b, or q for p. For example: R3dBirbF33d3R
Make your old password longer using random characters: For example: yoyoman becomes @@yo-yoMAN&&
Use symbols and numbers for simple encryption: E1VI$LiVZ
Do some or all of the above. Some examples: ***D@Rk$kY***; $pIny@nTeAT3; 1Tr1ckP0nee$; B33F1@tMaj0r
Ken Frazier
UW-Madison Interim CIO