The Importance of Password Security A Guide For ESD Computer Users

Etiwanda School District
Revised May 2011

Questions You May Have About Password Security

TOPICS:
Why Should I Care about Password Security?
How Are Passwords Stolen or guessed?
What Are the Guidelines and Rules for Choosing a Password?
How Can I Avoid a Weak Password?
How Often Should I Change My Password?
Why Do I Have to Change My Password Every Six Months?
How Do I Change My Password?
What If I Forget My Password?
What Else Can I Do To Protect My Password?

Why Should I Care about Password Security?
Your username and password (network login) give you access to the Etiwanda School District's computing services. Every time you connect, you must log in; By successfully logging in, you are verifying your identity to the district. Should someone else guess or steal your password (or if someone has access to a computer that you have left logged in and unattended), he or she can masquerade as you, which means this person would then have access to your files, your email, and more. This person would have the power to modify or destroy your files, to send email in your name from your account, access or attempt to access inappropriate content, commit crimes, or to subscribe to unwanted services. In short, an insecure or compromised password can easily cause a great deal of embarrassment and potentially even wreak havoc in your life!

How Are Passwords Stolen or Guessed?
As an ESD network user, you are responsible for the security of your password. Please use common sense and do not:

• DO NOT: share your password with anyone. The ESD Technology Department never initiates calls to ask for passwords. The only instance where the Technology Department might possibly need your password is to investigate a login problem you report yourself. If for any reason you give your password out to someone else, or suspect that someone else may have seen your password - change it immediately!
   
• DO NOT: write your password down (do not attach a post-it note with your password on your monitor!!)
   
• DO NOT: store your password in a file on the network or on your computer.
   
• DO NOT: use predictable or easily guessed passwords .
   
• DO NOT: use public computers or kiosks to access your email, gradebooks, or other district resources. These may contain "key-loggers" or other malicious software that invisibly records your username and password. If you find that you must use a public computer or one that you suspect is not secure, change your password as soon as possible!

In addition to the above, it is important that any personal computers you use at home to access district resources have a current and updated anti-virus program installed and functioning. Anti-Malware/Spyware protection is also highly recommended. If at any time you discover or suspect that a personal computer has become infected with a virus or malware/spyware, please correct the problem and change your password immediately! If you are in need of anti-virus or anti-spyware programs for your home computers, the ESD technology department recommends the following free programs:

AVG - Free Antivirus/Spyware solutions
Malwarebytes' Anti-Malware

Passwords are about identity. We tend to reveal ourselves in our passwords. We often choose the name or birth date of a loved one; we use our address, telephone number, or Social Security number; we use the name of a favorite artist, actor, or author. Or we are wise enough to avoid any personal references but choose a word that is in the dictionary or an alphabet or keyboard sequence. Just because we think a foreign word is obscure doesn't mean that it isn't in a dictionary somewhere. The point is that all of these types of words (especially words that are in a dictionary) are subject to guessing, which makes your password much more vulnerable.

What are the Guidelines and Rules for Choosing a Password (i.e. Password Complexity Rules)?
By enforcing password complexity rules, the Etiwanda School District helps you select secure passwords by requiring that all passwords meet certain standards. Passwords must be a minimum of six characters in length and must meet at least three of the four criteria below:

• Contain uppercase characters
• Contain lowercase characters
• Contain numbers
• Contain symbols (i.e. @#$%^! etc.)

In addition, your password must not contain three or more consecutive characters from your user name. This means that if your name is Doug, your password cannot be "Doug123". Finally, passwords may only be changed once per day and your last 3 consecutive passwords cannot be used.

 How Can I Avoid a Weak Password?
Avoid passwords that would be easy for anyone to guess.

• DON'T USE: Simple transformations of words such as "7Eleven" or "Fastest1".
• DON'T USE: A keyboard sequence (Ghjkl;).

How Often Should I Change My Password?
You must change your password at least once every six months, but it's also time to change your password if:

• You suspect your password has been compromised.
• You have told your password to someone else.
• You have written your password down anywhere.
• You have logged in at a public or semi-public computer somewhere outside the district to check your email. 

Why Do I Have to Change My Password Every Six Months?

A very simple answer - security. The main reason for regular password changes is to limit an account's exposure to misuse. Why every six months? Every time you type in your password it is at risk of compromise - by someone looking over your shoulder, through interception as it travels across a network, and so on. The more it's used, the more opportunities there are for it to be disclosed inadvertently. Resetting regularly also limits the damage that can be done without your knowledge, and helps to prevent continuing unauthorized use. Of course, changing passwords too often can be counter-productive - people tend to forget them, or resort to less satisfactory ways of keeping track of them. Six months seems a reasonable compromise, and is a much longer time period than many other agencies.

How Do I Change My Password?

Online From Home or Work

We have a  new, easy password reset system available at http://password.etiwanda.org

Using WindowsXP From Work

1. Log in to your computer normally (so you can see your desktop).
2. After logging in and seeing your desktop, Press Alt-Ctrl-Del again.
3. Click on the "change password" button.
4. At the "old password:" prompt, enter your old password.
5. At the "new password:" prompt, enter your new password.
6. At the "confirm new password:" prompt, reenter your new password. 

What If I Forget My Password?
No worries, see "How Do I Change My Password" above (Use the "Online From Home or Work" method).

What Else Can I Do To Protect My Password?
Along with the guidelines presented here, the following practices will help ensure that no one can discover your password or masquerade as you:

• Do not use the "Remember Password" features of any applications. An exception to this is your web mail login (Outlook Web Access - OWA), which only remembers your username, not your password.
   
• Do not under any circumstances walk away from your computer for any length of time while still logged in! You must either lock your computer (Press the Windows Key + L) or log out whenever your computer is out of your immediate view.

For more information, please contact the ESD Technology Department
(909) 899-2451