Tuesday, April 21, 2009

A PSA on Password Security

Westlaw just announced an upcoming change to its password policy: beginning May 31, Westlaw users will see a prompt to create a OnePass account (username and password) in order to access the research sites, rather than use the 11-digit “Westlaw Password” from your original registration card. A separate username and password has always been an option for accessing Westlaw, but it’s soon to be a requirement: by mid-July, all Westlaw users at Duke will need to create a OnePass account, or update an existing one, in order to conform to password security standards.

The only real surprise about this announcement, though, is how long it took to arrive. A separate username and password has been required by LexisNexis for several years, following a high-profile security breach in 2005 (http://www.nytimes.com/2005/04/13/technology/13theft.html). Many other websites, such as online newspapers, also require usernames and passwords.

Unfortunately, this desire for added security can often have the opposite effect: users who are afraid of forgetting multiple passwords frequently use the same password for all sites, or use extremely simple passwords which are easy for hackers to crack. In 2007, PC Magazine compiled a list (http://www.pcmag.com/article2/0,1759,2113976,00.asp) of the 10 most commonly-used online passwords:
  1. password
  2. 123456
  3. qwerty
  4. abc123
  5. letmein
  6. monkey
  7. myspace1
  8. password1
  9. blink182
  10. (your first name)
Did you see any of your passwords on this list? Now might be a good time to review the Duke Office of Information Technology’s Password Security FAQ (http://www.security.duke.edu/password.html). OIT has compiled helpful advice for choosing a good password and avoiding weak ones. An interesting chart demonstrates the relationship between length of password and security: a five-character password would take a password-cracking program approximately 2 hours to guess, but the addition of just one more character could stump such a program for up to 7.9 days.

While you ponder the creation of your new Westlaw password this summer, review the OIT guidelines and ensure that your many other passwords are safe and secure. For related information on computer security, check out the Law School's Academic Technologies page (http://www.law.duke.edu/computing/security/index).