OIT locks accounts; 36 passwords cracked

As the University's campaign to improve network security finishes its first phase today, technology officials said a University member has been referred for possible disciplinary action for cracking about 36 accounts.

After warning undergraduates to change their passwords from their social security numbers for the past few weeks, OIT will lock the accounts of students who have not changed their passwords by this afternoon, said Steven Sather, OIT's support director.

Most students have complied, however, with only 250 undergraduates not changing the e-mail, academic records or UNIX passwords from the default — the last eight digits of the social security number. At the beginning of the school year, about 4,300 students were still using their original password.

A member of the University handed a document to OIT last week listing the user names and passwords of about 36 UNIX accounts that the member had obtained by using a cracking program, said Rita Saltz, OIT security expert.

She subsequently contacted the affected users and, considering it a "disciplinary matter," referred the matter to the "appropriate authority," she said.

It was not clear whether the passwords for the UNIX accounts were also the passwords for e-mail and academic records. But armed even with just the UNIX account password, someone can gain access to personal files stored on the central OIT servers and impersonate the users on the UNIX system.

It took the hacker about two hours on a University computer to learn the passwords to each account, Saltz said. The passwords used "easily discernable information," she said, and were cracked before the security recommendations were followed.

A main concern about using social security numbers as default passwords was that they could be obtained easily.

Saltz said the motivation seemed to be to test the security of the system. Though outsiders often try to hack the system, internal network breaches are seldom, she said.

"Students should not play detectives themselves," University spokeswoman Lauren Robinson-Brown '85 said. "[They] should not risk bringing trouble onto themselves when they're trying to be helpful."

Sather said the transition to the new password system went smoothly.

Some students have complained that the process was too complicated because the website on which students changed their passwords presented very specific conditions. It took an average of two tries per student to change the password, Sather said.

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

The next challenge for OIT will be to secure the accounts of University staff, he said.

About half the 15,000 staff members with an account need to change their passwords to make them secure, he said.

After that, the University will move to secure faculty and graduate students, he said.

Because they consider it a disciplinary matter, officials refused to give anymore details about the cracking incident. But they said users who discover holes in the system should contact OIT.

Sather added that the search for a new technology security officer has ended. An announcement should come within the month, said Lee Varian '63, an OIT director who will supervise the new administrator.

This fall's push for tighter campus security follows this summer's news that University admission officials had exploited a Yale University website's reliance on social security numbers as passwords.