Sense and purpose of our password rules

Password rules usually seem complicated and elaborate. Many therefore ask themselves what all this is about, consider the measures to be sheer exaggeration and point out that you have nothing particularly worth protecting on your computer. However, password theft is not only about the specific data of the respective user, but also about unauthorised use of resources. Here we explain why our password policies are useful and necessary.

Why should sufficiently secure and long passwords be chosen?

The most commonly used method for authenticating users is the use of passwords. Their primary task is to protect against unauthorised access and misuse. In order for them to fulfil this task effectively, various rules must be observed, which you can also find in our password guidelines.
This is where you, as a user, are called upon. The majority of cases of misuse were and are (partly) caused by (authorised) users through ignorance or careless behaviour. For example, a single compromised university account is enough to severely disrupt the e-mail traffic of the entire university. We have published the necessary instructions for action in order to provide you with security.

Possible consequences of successful password theft

In the event of password theft, this may have the consequences mentioned here:

  • An unauthorised gain of information by reading your mails and documents,
  • Falsifying or deleting your data,
  • Changing your password, with the result that you no longer have access to the system.
  • The use of your access data to conceal your own identity in order to commit unauthorised or criminal acts, conceivable here:
    • The publication of illegal, offensive or obscene content by e-mail in your name
    • Accessing criminal content on the internet with your login
    • Downloading or exchanging works protected by copyright (music, software, electronic publications)
    • The introduction of viruses, worms and Trojan horses and thus the impairment of other users or external bodies, with possible damage to the university's image.
    • Sending spam and phishing emails
    • Fraudulent actions on trading platforms on the internet
    • Terrorist or extremist actions
    • ...
  • Deliberately placing illegal content in your directory with the granting of public access and simultaneously informing responsible authorities in order to deliberately harm you.
    The suspicion of the law enforcement authorities would automatically fall on you and you would have to prove that you did not commit the offences.

Why do passwords have to be changed every 365 days? And why should they be sufficiently complex?

Choosing a sufficiently secure and long password makes it difficult for an attacker to decrypt the password. Simple decryption methods become ineffective, but this does not mean that your password cannot be decrypted at all. Once your password has been decrypted, an attacker can only use it within the period of its validity, in this case a maximum of 365 days (= a very long period of time), after which it is worthless. The time someone needs to decrypt your password depends on the choice of password (i.e. the usable character set and the length), the procedure and the technology used.
Another aspect that is often overlooked is the theft of sensitive data, which has become more and more public in the recent past, in considerable amounts due to hacks of prominent online services (Dropbox, LinkedIn, Yahoo, etc.). Sometimes years passed between the actual data theft and the public dissemination of the stolen data. If the password active at the time of the data theft has already been changed, the stolen data is worthless today; if not, the information gained can be misused for all kinds of criminal activities on the Internet.
If the same access data was used at the external compromised IT service as at Bauhaus-Universität - contrary to the binding specifications - misuse is also possible here. The choice of the same password for different IT services cannot be technically prevented; in this case, a different authentication method (multi-factor authentication = technically demanding, if effective for all services and resource-intensive) would have to be chosen. It is unrealistic wishful thinking that all users will always behave in a security-conscious and compliant manner by simplifying the rules or requirements or by raising awareness.
The popularly postulated assumption that people give themselves a secure password if they do not have to change it is contradicted by lists of the most popular passwords as published by theHasso Plattner Institut (HPIor a look at real password leaks from services where the password does not have to be changed regularly.
In one's own area of responsibility, setting a potentially insecure password can be prevented by technically enforcing specifications (minimum length, complexity, history, exclusion of trivial passwords). Reducing the complexity in favour of the password length could, in the worst case, result in the password used being easy to guess. The theoretically calculable password quality would then be invalid.

How can the password protection be overridden?

  1. By trial and error
    An attempt is made to gain access by entering a guessed password. The method is not very efficient and only offers a chance of success with easy-to-guess passwords and is therefore used less frequently. This method requires no technical know-how and no additional tools. This method can be sufficient, especially for less imaginative persons or persons who are hardly aware of the topic, in connection with a lack of technical restrictions.
  2. Through the use of password cracking programs
    More efficient and thus more likely is the use of freely available and easy-to-use password cracking programs that try to get at the encrypted password with various methods.
    • Dictionary attack
      Crack programs are used here that fall back on a word list in which many known words are stored. The program tries out the words one after the other. A powerful computer can work through even a very powerful list (a text file several MB in size) in a few hours and find all the passwords contained in the word list. It is also conceivable to string together known words in order to determine longer passwords that have been formed accordingly. Effective protection is achieved by not using known words and names.
    • Brute force attack
      In this procedure, all possible combinations of characters are tried out on the basis of a certain character set. The programme is theoretically able to find any password. The time required to achieve success depends on the length of the password and the character set used and can thus take an extremely long time. This is the reason why passwords at Bauhaus-Universität should be eight characters long and must contain at least one special character and one digit.
    • Combined dictionary and brute force attack
      The programs used here are called hybrid crackers. In addition to searching a word list, all combinations from a certain previously determined character set are prefixed or appended to the words. It is also possible to replace certain letters with numbers or special characters (for example "O" is changed to "0" or "E" is changed to "3"). It is therefore not sufficient to choose a known word or name as a password and append a digit and a special character.
  3. By using data from (published) data thefts
  4. As a result of the disclosure of confidential information by social engineering or phishing
  5. By spying on the password as it is entered or when it is visibly noted 
  6. ...

Where do our password rules originate?

The password guidelines that are binding at Bauhaus-Universität Weimar are based on the recommendations of the Federal Office for Information Security (BSI). This is a recognised, central, independent and neutral institution in Germany that deals with IT security issues.

A recognised international standard that supports our requirements is ISO/IEC 27002 Information technology - IT security procedures - Guidance for information security management, section 11.3.1 Password usage.