Password Information

Important information about changes to access.caltech passwords

Your access.caltech username and password are your key to services, support, and more.

Contents:

The Importance of Good Passwords

A password is like the combination for a combination lock or the PIN number for an ATM card. It is a way of proving to a computer that you are who you claim to be. Unfortunately, passwords can be compromised, just as a combination can be guessed, or all possibile combinations attempted, or someone can look over your shoulder as you key in your PIN.

In the past, password guessing was fairly difficult; however, this is no longer the case. Hackers have ever-increasing resources and Caltech presents an attractive target, so all accounts on all servers here need to be protected as much as is practical.

The system administrators make it as difficult for hackers as we can to prevent compromise from the server side, but individual account security is dependent on the security of each individual account's password. This is why it is extremely important for you to use passwords that cannot be guessed.

Choosing Passwords

Adhering to the following guidelines will not guarantee you absolute safety, but will make it more difficult for your password to be compromised.

Bad Passwords

Do not use the following as passwords:

  • Names: your account username, your real name (first or last), names of spouses, children, friends, pets, etc.
  • Personal information: your bank PIN number, your Social Security Number, your birthday, your phone number, your address, your license plate number, or any of the above belonging to spouses, children, friends, pets, etc.
  • Word and Phrases: dictionary words from any dictionary, or phrases that are nothing but sequences of lowercase characters and spaces (long phrases are OK as long as you put in some unusual characters as well)
  • Patterns: repeated characters ("aaabbbccc"), keyboard or alphabetic sequences ("qwerty", "abcdef"), acronyms (CIT acronyms especially)

Do not use them even if they are:

  • backwards
  • repeated
  • capitalized
  • prefixed or affixed by a single digit or punctuation mark ("yikes!", "4myself")
  • the result of substitution by characters of similar appearance ("$ch001", "g33k", "b1gmac")

Good Passwords

Access.caltech enforce the following restrictions on passwords to make sure they are "strong":

  • They must be at least 10 characters long, but no more than 20 characters.  The longer your password, the better.  We will be raising the maximum soon in access.caltech.
  • They must contain at least two letters and one non-letter.
  • They must contain characters from at least three of the following four categories:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Anything not in the above three categories
  • They cannot be your username, your username reversed, or a cyclic shift of either of the above, considered case-insensitively (it's unlikely such a password would pass the "four categories" test, in any case).
  • They cannot contain any piece of the "real name" associated with your account (so user johnj whose name is "John Jones" cannot have john!123 or 45JOnes# as his password).

One suggestion some of our users have found useful is to remember a special sentence associated with their account on a particular system, and then use the first letters of each word in the sentence to form their password. With a few numerical substitutions, using a proper noun or two in the sentence to get some capitalization in there, and adding in a punctuation mark or two, the resulting password is sufficiently random-seeming to be a good password, but it is also easier to remember than a purely random string of characters.

Misconceptions About Passwords

"I'm not the super user. My password can't be that important."

Hackers often have at their disposal "local exploits", which are ways of getting the equivalent of superuser accounts starting with a normal account. If a hacker can get hold of your password, they can then get on to our systems using it, then try a local exploit that might work. It was your password that "let them in the door".
Also, many hackers don't care about what's in your account; they only want to use it as a base for launching attacks on computers and accounts they do care about, so their location is harder to trace and/or block. If someone uses your account to do this, it can damage Caltech's reputation and affect your and other Caltech people's ability to use our computers to do their real work.  A hacker can also use your account to pretend to be you, and trick someone into doing something they would not ordinarily do, thinking the request came from you.

"Nobody knows what "axolotl" means. They'd never guess that."
"I'll use a word from a foreign language."

Electronic dictionaries now exist for most languages with a significant number of speakers or a significant literature. Hackers' guessing programs make use of these dictionaries and can automatically check for variants (substituting appropriate digits for letters, for example).
Note that IMSS systems store passwords in such a way that it is hard for hackers to get the information they need to work on cracking your password without repeatedly trying to log in to your account (which we can detect); however, other systems you use may not be so secure.

Guarding Your Password

Now that you have chosen a strong password, you need to protect it.

  • Consider using a password management utility to manage your passwords.  The only password you have to memorize with a password management utility is a single, preferably long, "master passphrase" that is used to encrypt the rest of your passwords.  This is a very powerful tool that can make it easy to manage large numbers of unique passwords.  Managed Computing users can request installation Keepass for password management.
  • Don't send your password over a computer network, or store it on a computer, without encrypting it. Most especially, this means don't send it in the clear over email.  It may be misdirected, intercepted, forwarded, or accessed from stored mail long after the fact. Avoid using the telnet or rlogin programs to log in to a computer (use ssh instead), and avoid using ftp to transfer files to or from your account (use scp instead). Avoid using the "insecure" versions of POP or IMAP to read your mail (our systems support the secure versions).
  • Be very careful where you enter your access.caltech password. IMSS recommends against using services which allow users to enter their usernames, passwords, and server names into a commercial webpage for remote email browsing, because IMSS cannot guarantee the security or authenticity of such non-Caltech systems. We also recommend against using your access.caltech password as a subscriber password on any non-Caltech web sites.  Your access.caltech password should be unique, and not reused for any other service.
  • Do not tell it to anyone, even if they claim to be a system administrator or technical support. Under no circumstances does a sysadmin need your password. If you receive mail that appears to be from a technical support person, asking you to change your password to something specific or send your password back via email, don't. We might ask you to change it to something else, but we will never tell you what to change it to.

How to Change Your Password

To change your password using the Web, go to https://access.caltech.edu Enter your username and password to login. Click on the 'Manage My Password' tab at the top of the page. Enter your old password, and your new password twice and click 'Reset Password.'

Additional Information and Help:

For more help, please contact the IMSS Helpdesk (x3500, https://help.caltech.edu).

If You have Forgotten Your Password

An IMSS Helpdesk Consultant can reset your password. Note that we store passwords in such a way that we can't recover them for you if you forget them, we can only reset them to something else.

  • Come visit the Helpdesk in person with your Caltech ID at room 204 in the Central EngineeringServices Building, or
  • Call x3500 from the Caltech extension issued to you (the campus caller ID must show your name), and have your Caltech ID handy.

Note that we can only give out new passwords in person or over the phone (we never send passwords via email), and that all new passwords are randomly generated 10-character strings.

If you want to reset your password to something else after that, you will need to wait about ten minutes, and then follow the instructions given above for changing your password.

What if I'm away from Caltech?

If you are out of the Caltech campus area (overseas, for instance) and you need your password reset before your return to campus, we can make special arrangements with you to have your password reset. Call the Help Desk at x3500 to make arrangements.

 

If You Think Your Password has been Compromised

If you suspect that someone other than you has been using your access.caltech account, or that someone other than you knows your password, please notify IMSS immediately by telephoning the Help Desk at x3500 so that we can investigate. If you are able to send email, you can also contact Information Security directly by sending mail to security@caltech.edu. Change your suspect password by going to https://access.caltech.edu. It is always wise to change a password that you believe may have been compromised. However, it is important to investigate the incident as well, so that the problem doesn't occur again.