Your access.caltech username and password are your key to services, support, and more.
- The Importance of Good Passwords
- Choosing Passwords
- How to Change Your Password
- Guarding Your Password
- If You have Forgotten Your Password
If You Think Your Password has been Compromised
A password is like the combination for a combination lock or the PIN number for an ATM card. It is a way of proving to a computer that you are who you claim to be. Unfortunately, passwords can be compromised, just as a combination can be guessed, or all possibile combinations attempted, or someone can look over your shoulder as you key in your PIN.
In the past, password guessing was fairly difficult; however, this is no longer the case. Hackers have ever-increasing resources and Caltech presents an attractive target, so all accounts on all servers here need to be protected as much as is practical.
The system administrators make it as difficult for hackers as we can to prevent compromise from the server side, but individual account security is dependent on the security of each individual account's password. This is why it is extremely important for you to use passwords that cannot be guessed.
Adhering to the following guidelines will not guarantee you absolute safety, but will make it more difficult for your password to be compromised.
Do not use the following as passwords:
- Names: your account username, your real name (first or last), names of spouses, children, friends, pets, etc.
- Personal information: your bank PIN number, your Social Security Number, your birthday, your phone number, your address, your license plate number, or any of the above belonging to spouses, children, friends, pets, etc.
- Word and Phrases: dictionary words from any dictionary, or phrases that are nothing but sequences of lowercase characters and spaces (long phrases are OK as long as you put in some unusual characters as well)
- Patterns: repeated characters ("aaabbbccc"), keyboard or alphabetic sequences ("qwerty", "abcdef"), acronyms (CIT acronyms especially)
Do not use them even if they are:
- prefixed or affixed by a single digit or punctuation mark ("yikes!", "4myself")
- the result of substitution by characters of similar appearance ("$ch001", "g33k", "b1gmac")
The IMSS Unix and Windows clusters enforce the following restrictions on passwords to make sure they are "strong":
- They must be at least 10 characters long, but no more than 20 characters. (The longer your password, the better.)
- They must contain at least two letters and one non-letter.
They must contain characters from at least three of the following four categories:
- Uppercase letters
- Lowercase letters
- Anything not in the above three categories
- They cannot be your username, your username reversed, or a cyclic shift of either of the above, considered case-insensitively (it's unlikely such a password would pass the "four categories" test, in any case).
- They cannot contain any piece of the "real name" associated with your account (so user johnj whose name is "John Jones" cannot have john!123 or 45JOnes# as his password).
One suggestion some of our users have found useful is to remember a special sentence associated with their account on a particular system, and then use the first letters of each word in the sentence to form their password. With a few numerical substitutions, using a proper noun or two in the sentence to get some capitalization in there, and adding in a punctuation mark or two, the resulting password is sufficiently random-seeming to be a good password, but it is also easier to remember than a purely random string of characters.
"I'm not the super user. My password can't be that important."
Hackers often have at their disposal "local exploits", which are ways of getting the equivalent of superuser accounts starting with a normal account. If a hacker can get hold of your password, they can then get on to our systems using it, then try a local exploit that might work. It was your password that "let them in the door".
Also, many hackers don't care about what's in your account; they only want to use it as a base for launching attacks on computers and accounts they do care about, so their location is harder to trace and/or block. If someone uses your account to do this, it can damage Caltech's reputation and affect your and other Caltech people's ability to use our computers to do their real work.
"Nobody knows what "axolotl" means. They'd never guess that."
"I'll use a word from a foreign language."
Electronic dictionaries now exist for most languages with a significant number of speakers or a significant literature. Hackers' guessing programs make use of these dictionaries and can automatically check for variants (substituting appropriate digits for letters, for example).
Note that IMSS systems store passwords in such a way that it is hard for hackers to get the information they need to work on cracking your password without repeatedly trying to log in to your account (which we can detect); however, other systems you use may not be so secure.
Now that you have chosen a strong password, you need to protect it.
- If you must write it down, make a change to it so somebody else reading it won't be able to use it directly, i.e. if it's "J472cEeA", write "J250cEeA" (subtract 2 from each digit).
- Don't send your password over a computer network, or store it on a computer, without encrypting it. Most especially, this means don't send it in the clear over email. (Someone did this at the University of Washington Medical Center, with disastrous results ... read all about it here). Avoid using the telnet or rlogin programs to log in to a computer (use ssh instead), and avoid using non-anonymous ftp to transfer files to or from your account (use scp instead). Avoid using the "insecure" versions of POP or IMAP to read your mail (our systems support the secure versions).
- Be very careful where you enter your IMSS UNIX password. IMSS recommends against using service repackager services which allow users to enter their usernames, passwords, and server names into a commercial webpage for remote email browsing, because IMSS cannot guarantee the security or authenticity of such non-Caltech commercial systems. We also recommend against using your IMSS password as a subscriber password on non-Caltech web sites.
Do not tell it to anyone, even if they claim to be a system administrator. Under no circumstances does a sysadmin need your password. If you receive mail from a system administrator asking you to change your password to something specific, don't. We might ask you to change it to something else, but we will never tell you what to change it to.
To change your password using the Web, connect to https://access.caltech.edu Enter your username and password to login. Click on the 'Manage My Password' tab at the top of the page. Enter your old password, and your new password twice and click 'Reset Password.'
You can also change your password at https://utils.its.caltech.edu. Enter your username and your old password. You should then be shown a web page containing information about your account, with a "Change Password" link at the bottom of the page. Click on that link, and you will get a form where you can type in your new password twice. Do so, then click the "Change Password" button. If your password was the same in both boxes and met our strength critieria, your password will change. Click the "back" button on your browser twice to get back to your account information, then click the "Log out" link to exit the system.
Additional Information and Help:
If you are trying to use the Change Password feature in Eudora, it will not work. Eudora uses a relatively insecure mechanism for password changing which is not enabled on our systems for security reasons.
For more help, please call the IMSS Helpdesk, at x3500.
An IMSS Helpdesk Consultant can reset your password. Note that we store passwords in such a way that we can't recover them for you if you forget them.
- Come visit the Helpdesk in person with your Caltech ID at room 204 in the Central Engineering Services Building, or
- Call x3500 from the Caltech extension issued to you (the caller ID must show your name).
Note that we can only give out new passwords in person or over the phone (we never send passwords via email), and that all new passwords are randomly generated 8-character strings.
If you want to reset your password to something else after that, you will need to wait about ten minutes, and then follow the instructions given above for changing your password.
What if I'm away from Caltech?
If you are out of the Caltech campus area (overseas, for instance) and you need your password reset before your return to campus, we can make arrangements with you to fax a copy of your Caltech ID to have your password reset. Call the Help Desk at x3500 to make arrangements.
If you suspect that someone other than you has been using your access.caltech account, or that someone other than you knows your password, please notify IMSS immediately by telephoning the Help Desk at x3500 so that we can investigate. If you are able to send email, you can also contact Information Security directly by sending mail to firstname.lastname@example.org. Change your suspect password by going to https://access.caltech.edu. It is always wise to change a password that you believe may have been compromised. However, it is important to investigate the incident as well, so that the problem doesn't occur again.