Onyen Password FAQs

Introduction

The following are Frequently Asked Questions about the Onyen Password. Some FAQs are found on other pages and are linked below.

Why is the Onyen Password Security important to me?

In most cases, your Onyen password is the only authentication method for many critical network services (see Password Change Checklist). Although it may seem extreme to have a complex password policy, the protection it affords campus computer systems and the identities of faculty, staff, and students is immeasurable. Many Onyen users have access to sensitive and private information such as financial, medical, or research information. Strict password requirements not only help to prevent unauthorized access to your e-mail and other files, but also to critical and confidential data. Therefore, even though it may seem inefficient to remember one new password every 90 days, it is vital to ensuring the protections of everyone's important data. Imagine years of research data deleted or improperly modified because of a leaked or cracked password. The impact of such an event is unthinkable, and by enforcing a strict password policy this type of occurrence and other disasters may be prevented. The following are only a few examples of the damage that an attacker can perpetrate with your Onyen password:

• affect your class registration
• assume your identity
• send fraudulent e-mails
• access your address, phone number, full name, date of birth, etc.
• change One Card account balances and other information
• modify or delete classwork or personal files in AFS
• register you for unwanted services
• among others...

You are responsible for everything that occurs from your Onyen account. If your Onyen is used to commit a computer crime or violate University policy, in most cases you will be held responsible (see Onyen Policy, Terms of Agreement for Onyens).

How does requiring my password to change every 90 days, requiring the password complexity and disallowing previous passwords increase security?

Simply by changing your password by one character, you are effectively changing it completely. Each time a password is created, a one time algorithm, called a "salt" is generated that modifies the newly created password by permutating each character. This means that even if two users choose the same password, their password hashes (the way a password looks when it is encrypted) will be different by both the types and numbers of characters. This increases password strength exponentially since a password cracker cannot simply compare the two hashes and deduce that the passwords are the same. It will take substantially longer to crack the new password as well; by the time you change your password again (three months) the cracker would have to start all over again with a completely different password. Based on our current complexity requirements, it would take longer than 90 days.

In addition, the password system will prevent you from reusing any of your previous passwords. Any previous password used will be blocked for the period of one year. This 'recycling' of passwords presents many of the same security concerns caused by passwords that never change.

Remembering all my passwords is too complicated; I'm just going to write mine down!

Writing down your password in a public location exposes you to the dangers of identity theft and other abuses. Passwords exist to protect you and your information. Bypassing the protections offered to your account expose your personal information and is in direct violation of Onyen policy:

Access to computing and network resources granted through the issuing of a UNC Onyen may be used only by the specific individual to whom the Onyen is issued and may not be shared with other individuals (see Onyen Policy, Terms of Agreement for Onyens).

Even if you do not use your Onyen, if your password gets compromised an attacker can use your Onyen to assume your identity.

If you consitently have trouble remembering your password, and are often away from campus, you may want to consider setting up the Challenge-Response Password Reset System for your account. Once you answer the questions you will have the ability to easily reset your password, even if you are away from campus.

Are all these password requirements really worth the trouble? I have too many passwords already to remember and all have different requirements!

Your private information is very important, and the dangers of identity theft should not be underestimated (see Identify Theft and Fraud). The password not only protects you, but also your department's data. Many granting agencies, as well as some Federal and State regulations require best information security practices which include strict password policies.

State auditors require strong passwords along with the unfortunate inconvenience everyone with an Onyen endures when changing their password. Many computer systems have different password requirements depending on the age of the system, or the type of underlying authentication mechanism. The complexity requirements for the Onyen password are standard and are based on security best practices. These conditions were chosen to follow numerous other password requirements across campus (e.g. Microsoft Active Directory and Windows domains).

Other FAQs

• Do I Need to Change My Password if I Never Use My Onyen?
• What if I don't change my Onyen password before it expires?
• What do I do if I have forgotten my onyen password?
• What services will be affected when I change my Onyen password?
• How should I choose a password?
• Is there an easy way to create a strong and effective password?

• Administrative (Remedy, Financial)
• Advanced Computing (Research, Statistics)
• Blackboard (Educational Technology)
• Campus Information (Calendars, Directories)
• Communication (Phones, Conferencing)
• Data Storage (Backup, Recovery)
• Email (Lists, Webmail)
• Networking (Wireless, VPN)
• Security (Policy, Viruses)
• Software (MS Office, Operating System)
• Support (Laptops, Printing)
• Web (Browsers, Web Design)