Passwords at U-M
Note: CAEN has begun the gradual phase-out of both the ENGIN.UMICH.EDU Kerberos realm and the ENGIN Windows Domain, and consequently fewer and fewer people will receive a CAEN password. Instead, individuals will use their ITCS (UMICH.EDU) Kerberos and Windows (UMROOT) Domain passwords to access CAEN computers and services, thereby reducing the number of passwords you will need to remember.
Overview
- Protecting Your Password Is Important
- Passwords at CAEN and ITCS
- Why So Many Passwords?
- Syncing your Kerberos and Active Directory Passwords
- General Guidelines for Selecting a Password
- Special Characters and Restrictions
- Change your Password Often!
Overview
Nearly everyone who uses the Internet today has countless passwords, whether for instant messaging, managing finances, reading news, enrolling in classes, or a myriad other cases where authentication and authorization are necessary. As a computing account holder at the College of Engineering, you have at least two passwords. This page provides a brief explanation of the systems that use certain passwords, why multiple passwords are necessary, and how the passwords are used. Additionally, this document will provide general guidelines for selecting a superior password and using it securely.
Protecting Your Passwords Is Important
Frequently, and at an increasing rate, CAEN account holders are targeted by malicious intruders, also known as hackers, who attack user accounts and attempt to obtain passwords. Often, hackers try to compromise user accounts by exhaustively and programmatically cycling through huge collections of words (in dozens of languages), using trial-and-error to guess the passwords of CAEN users.
CAEN offers password guidelines to help ensure that hackers will be unsuccessful in their attempts. Despite this, however, hackers occasionally succeed and when CAEN discovers any security breaches on its network, our security personnel alert those affected immediately. If you ever receive a message or phone call from a CAEN representative stating that your account has been hacked, you should change your password as soon as possible. See the bottom of this page for a link to change your password.
Many users of computing networks share a common misconception that no hacker would ever be interested in gaining access to their account. What many people don't realize is that hackers usually don't care whose account they're exploiting. A computing account is merely a means of gaining access to a system, and to more accounts on that system. Once an account has been compromised, the hacker can use it for any number of destructive or illegal purposes. Furthermore, when a hacker uses your account to conduct his or her devious deeds, they are essentially doing it under an assumed name: Yours!
As the user of a large computing network like CAEN, it is important to be conscious of security issues that may impact all users of the system. One of the simplest ways to help ensure that your account is not compromised is to select a secure password and to change it frequently. Remember to change your password at least once every semester. If you have questions about changing your password or if you are unable to change your password successfully, visit the CAEN Hotline.
Choose your passwords carefully, and never share them with others. Follow the guidelines in this document to select a secure password. Passwords that are easy to guess threaten the security of the entire system on which the account exists, and ultimately any larger networks of which the system is a part.
Passwords at CAEN and ITCS
| Password | Example Services |
|---|---|
| ITCS Kerberos | ITCS Login server ITCS Email ITCS AFS File Storage CAEN Login server CAEN Lab Workstations Wolverine Access U-M Online Directory |
| ITCS Active Directory | U-M Exchange Accounts CAEN NAS File Storage Live Communication Service |
| CAEN Kerberos | CAEN AFS File Storage |
| CAEN Active Directory | CoE Exchange Accounts CoE SharePoint Server CoE Departmental Groups |
Most CAEN account holders actually have two passwords. However, some people may also have a third, or more. By virtue of having a uniqname, all University of Michigan computing account holders are issued two passwords: a password for the UMICH.EDU Kerberos realm and a password for the UMROOT Windows Active Directory domain, both of which are operated by ITCS. Some CAEN account holders may also have a Kerberos password in the ENGIN.UMICH.EDU realm, and you may also have an Active Directory password for the ENGIN Windows Active Directory domain.
Note: The majority of the College of Engineering community is only issued ITCS UMICH.EDU & UMROOT passwords, which will be used to log into all CAEN services.
Kerberos
Kerberos is an authentication method developed by MIT in the late 1980s that enables someone to prove their identity to a computing service in a secure way, protected from eavesdropping. Your ITCS Kerberos password is used for authentication to ITCS and CAEN services, and once provided successfully, authorizes you to use IFS, ITCS E-Mail, Wolverine Access, The U-M Online Directory, and many other campus resources available to the general University of Michigan community. Your Kerberos password enables you to log into CAEN Linux workstations, such as login.engin.umich.edu, and to run the software found on that operating system.
Windows Domain Accounts and Active Directory
At the University of Michigan, Windows computers utilize Active Directory for authorization to services. Active Directory is a system developed in the 1990s by the Microsoft corporation to manage users, hardware, software, and access policies. Active Directory uses a "trust" system to grant access to the services it manages, and by authenticating with a username and password associated with a Windows Domain, you will be able to access the Windows services provided by CAEN and ITCS. The ITCS Windows Domain is called UMROOT, and the CAEN Windows Domain is ENGIN.
Although some CAEN users have Windows Domain accounts in the ENGIN domain, the majority do not. CAEN has phased out the use of the ENGIN domain for public services, such as access to CAEN computing labs, because many Windows services (e.g. login privileges in CAEN labs, access to NAS space, etc.) allow users to authenticate via the UMROOT Domain at ITCS, or in some cases using their Kerberos password. CoE faculty and staff are likely to have ENGIN Domain passwords, since access to departmental resources is often controlled using ENGIN credentials. Additionally, CoE faculty and staff use ENGIN Domain passwords to log into Microsoft Exchange for their calendars and email.
Those who have accounts in the ENGIN Windows Domain are probably unaware this password exists because CAEN's password reset page synchronizes Windows Domain passwords and CAEN Kerberos passwords automatically. ITCS does not synchronize passwords automatically, however, meaning that your UMROOT Domain account password may be quite different from your ITCS Kerberos password. In order to access ITCS Windows resources, such as their Exchange service, it is advisable to synchronize your ITCS Kerberos and Windows passwords to avoid problems and confusion.
Why So Many Passwords?
As new operating systems and technologies are developed and put into production at the University of Michigan, the authentication and authorization methods required to access them evolve as well. For example, CAEN pioneered the deployment of technologies such as Network-Attached Storage (NAS) and Exchange at the University of Michigan. At the time of deployment, it was necessary to utilize the ENGIN Domain for authentication and authorization; however, as time goes on, and as technologies come into common use, duplication of effort can occur and it becomes advantageous to eliminate redundancies.
Syncing your Kerberos and Active Directory Passwords
In order to log into a CAEN Windows computer and access software, you must authenticate using your uniqname and UMICH.EDU (Kerberos) password. The system then uses a pass-thru authentication method, using your Kerberos credentials to gain access to Windows Active Directory services. In many cases after several login attempts are made over a short period of time, the Active Directory portion (i.e. UMROOT) of the account can become locked, and prevent access to software or future login for up to 15 minutes. More information on the pass-thru authentication method can be found at the U-M Windows Home:
In order to prevent this "lock-out" from occurring, it is recommended that all CAEN users set their UMROOT password to be the same as their UMICH.EDU password. This will allow authentication to Windows services without the risk of disabling access. To set your UMROOT password, you should visit the following web page:
You will be asked to autheticate with your UMICH.EDU password before you can set your UMROOT password. You should then set your UMROOT password to be the same as your UMICH.EDU. If you have trouble using either of these passwords, contact the ITCS Accounts Office to get them reset.
General Guidelines for Selecting a Password
Use this document as a guide to selecting a good, secure password - one that is not easily guessed, and if intercepted on a network, appears as though it is a random string of gibberish.
- DO make your password at least six characters in length -- the longer, the better (see next section for length restrictions).
- DO mix capitals and lower case letters in your password.
- DO use at least one non-alphabetic (e.g. 0-9, %, ^) character in your password for example: N0n0fyerBizn's
- If you are having trouble figuring out a good password, try thinking of a phrase that only you would know, and take certain letters from it:
"Time keeps on ticking." could be TkOnT!ckIn9 or "I love macaroni and cheese!" could be: Il0vM&Ch! - DO change your password often!
- DO NOT tell anyone your password
- DO NOT write your password down - memorize it!
- DO NOT make your password a word contained in any dictionary, in any language.
- DO NOT do the following to dictionary words:
- Simply append or prepend a character (e.g. password! or !password)
- Reverse the word (e.g. drowssap)
- Repeat letters (e.g. passwordpassword)
- Remove vowels (e.g. psswrd)
- DO NOT use personal information (easily guessed!) as your password. For example:
- Mother's maiden name
- Social security number
- Phone number
- Address
- Birthdays
- First, middle, or last name
- Names of friends
- License plate
- DO NOT use your CAEN or ITCS passwords for anything else, especially for Internet services like shopping or Hotmail accounts. In general, it is a good idea to have different passwords for all of your Internet accounts. You can't know who has access to your password on a remote system, and if you use the same password for different services, anyone who obtains your password on any one of those services knows your password on all of them!
- DO NOT use any examples that we have given.
Special Characters and Restrictions
| The "at" symbol (@) | This is the historical kill character on some UNIX systems (e.g. HP-UX) and may still be in use. |
| The "pound" or "hash" symbol (#) | In a similar vein to the @ symbol, this is the historical "erase" character on some UNIX systems (e.g. HP-UX). Likewise, under most conditions, it will be necessary to precede this character with a backslash, escaping its special meaning. |
| Leading/trailing hyphens (-) | Hyphens are commonly used to denote flags or switches for UNIX and Linux commands, and can cause problems these systems (if you experience this problem, it is likely a bug and should be reported to your system administrator - for CAEN use Contact CAEN). |
| Dollar signs ($) | Certain login mechanisms of some versions of UNIX have trouble authenticating users with passwords containing dollar signs, possibly because the $ has special meaning to many shells, and commonly denotes a variable. (If you experience this problem, it is likely a bug and should be reported to your system administrator - for CAEN use Contact CAEN.) |
| Forward slash, Plus, Period (/, +, .) | These characters may cause authentication problems with the Merit Global Service (a dial-in service). These symbols have historically had a special meaning to the authentication mechanism used by this system. |
| Length Restrictions | Passwords containing more than 16 characters may cause authentication problems on many systems. |
