IT services and password (mis)management

It has been a while since I last posted to my blog. A pretty amazing thing happened two months ago: I successfully defended my PhD thesis. Together with two colleagues, who had their defenses on the same day as I (three defenses in a row) we had a great party. Still, I’m not a real doctor yet. At the next faculty meeting the profs have to officially grant me the title and then I have to hand in the thesis as a real booklet, within a year or two or so. These administrative and practical issues did not prevent the faculty to invite me to the Graduation Ceremony. As you might have guessed from the title of this post, I’ll not be writing about the ceremony itself. The problem is that to register for the ceremony I have to go to a website and log in. It turns out that five years of PhD does not prepare you to do this seemingly simple step.

At the RUG (University of Groningen, where I was a student) the IT services were simple: everything online could be accessed using your student mail as username and a single password. Everything: email, electronic learning environment, administration… (1) That I look back fondly at the time when I was using Windows XP on clunky CRT monitors illustrates the IT issues at the university where I did my PhD.

When I started my PhD I got three email accounts: my physical chemistry email, my student email and my employee email. That seems to be at least one and probably two accounts too much.
They sent me the password for my accounts by mail… and wrote the password in Comic Sans… There is no time when Comic Sans is a good font. Well, you can use it to announce the discovery of the Higgs particle but that is because the Higgs is so cool that I wouldn’t have cared if they had chiseled it live on (in?) the wall during the presentation. However, when you want to communicate a password it is a good idea to write it in a clear font with a clear difference between l and I or between O and 0 (non-capital l, capital i (I), capital o (O) and the number zero (0), respectively (see what I did here?)).
I’m sure that the IT department is aware of these fonts. Every now and then we got an email that there was a phishing attack attempt on the university accounts. The guy who sent this email had a email signature with an ASCII-art motorbike… (2)

At some point the university thought it was a good idea to introduce a unified email/account system. Good idea! Right? Well, it meant that I got a new email account in addition to my three legacy email accounts. (3) In addition to my student and employee number they also introduced a new long and short name that I could use as a username to log into different services. This means that I now have eight different ways to log into the different services of the university. (actually nine, for a certain service I had to use my student number, without the last digit).
Can there be more confusion? Sure. Because of legacy stuff the passwords were also scrambled. Some services use the same username and a different password, while others use the same password but a different username. The results is that there is no way to reliably predict which username and password you should use for a particular service. (4)
To create some order in the chaos there is a central “Identity Manager” where I can change my passwords without having to contact IT services. Except, which account do I need to change? There are six accounts that use the same short name.

This leads to the final part of this saga. What if I new which account to use and would want to change my password? What kind of arcane requirements does my password have to meet? A partial list:
1. Not allowed characters: 0123456789&-
2. Allowed characters: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+_$/!
3. Required characters: +_$/!
4. Minimum number of numerical characters: 1
Do I need to point out the problem here? How can you have a numerical character when the characters 0-9 are not allowed? Or do they want me to use a hexadecimal number? (i.e. A for the number after 9 etc (hexadecimal 10 is decimal 16)). (5)
But there are other, less obvious problems as well. Some characters are allowed, some characters are not allowed… what about the other characters? Can I use the equal sign? (By the way, these are not the actual character sets that are (not) allowed. Security is already weak enough without writing down the exact sets of allowed/disallowed characters). Finally, do I need to use *all* the required characters? Or do you mean I need to use at least one of these characters?

I’m sure the IT department justified installing this new system by pointing out all the cost savings: “using the identity manager people can reset their passwords themselves, meaning less work for the IT department”. It is of course a stupid solution. People use some accounts frequently and now what username/password to use there. That is not the case when accessing infrequently used accounts. A better system would have been something where people can log in using a single username and password across all accounts and services. I mean, the passwords are already collected in a single identity manager. Why not skip that step for the user and pretend (at least to the user) as if all the services and accounts use the same username and password.
The cost savings are also reduced by the time I (and all my colleagues) waste trying to work out which password to use. I ended up registering for the graduation ceremony by sending an email to the organization. One upside: I didn’t have to fax them. (6)

(1) This was the situation at the RUG five years ago, when I was a student. It may have changed.

(2) These are called monospaced fonts — each character uses the same width, making it easy to align characters on different lines. They are often used in programming, or to make ASCII-art motorcycles. The critical point of using them is however not that they are monospaced, but that you can unambiguously distinguish different characters.

(3) It was executed in a terrible way, but the grand unification did collect the different accounts in a single interface.

(4) Having a lot of usernames and passwords is not a problem in itself. I use, and everybody else should use, a password manager (like 1Password). A manager stores all your passwords in a single place and using a plugin it fills in the passwords for you in your webbrowser. This makes it easy to use different passwords for different accounts — this means that if one website is hacked they can not use it to log into other websites (see this Ars Technica article about attacks on passwords). A password manager does however not help if the combination username/password is not known.

(5) It turns out that the clash between disallowing numerics while requiring at least one numerical character is because I had selected a number of accounts to change the password. One of these accounts doesn’t allow numerics while the others need a numeric.

(6) Yes, we do have a fax machine and yes, we do use it a lot.

Further reading:

  • An Ars Technica article about why there are limitations to the use of characters and size of passwords. Answer: legacy systems, ignorance and laziness.
  • Security is often used to justify to make systems that are user-unfriendly. Ars Technica (again) has an article about how these kind of password rules and other small irritations make people hate computers.