Students Activate FAS Accounts, Face Security

Due to increased security measures, students activating their Harvard computer accounts yesterday took a 32-question quiz and tried to think of nonsensical new passwords hackers would have trouble deciphering.

The quiz, which was intended to increase awareness of the University's network use guidelines, asked true-false questions in a random order. Students were allowed one mistake and could take the quiz as many times as needed until they passed.

The program then asked students for a new password, but would not accept words resembling those in dictionaries. Suggestions were given for students unable to come up with passwords of their own. One request generated passwords such as "16ilut" and "k9tig5."

Less word-like passwords will help prevent dictionary attacks in which a "malicious user" uses combinations of words to hack into another student's account, said Rick Osterberg '96, coordinator of Residential Computing Support.

In the past, only new students were required to take the quiz, but all returning undergraduates, graduate students and Extension School students need to take it this year, Osterberg said.

Written by the security unit of Faculty of Arts and Sciences (FAS) Computing Services with input from the Administrative Board, the quiz was meant to inform students before they accidentally get in trouble for violating rules.

Some of the true and false statements on the quiz included: "There's nothing wrong with forwarding chain letters, as long as no money is involved," "Harvard's computers may not be used for pranks or practical jokes" and "A computer Systems Administrator or User Assistant may ask me for my password in order to provide assistance."

The answers to these questions are false, true and false, respectively.

Osterberg said the quiz, modeled after one developed at the University of Delaware, was an effective way to reach students.

"By restating the rules in the form of a simple, interactive quiz, we hope to make the text more compelling and to engage students to think about the issues of appropriate computer use," he said.

Joshua Glassman '02 said he thought the quiz was informative and easy, but that finding a new password was difficult.

"I probably typed in 8 to 10 different things before it worked," Glassman said. "Actually it was frustrating."

Glassman added that he doesn't think there ismuch risk of people discovering his password nomatter how word-like it is.

"Even if my password is 'dog' the odds thatsomeone is going to guess that my password is'dog' are not that good," he said.

Julia M. Rosenbloom '01, who said she got all32 questions correct, chose her own passwordrather than taking one of the suggested ones.

"I guess [suggested ones are] not as easy toremember," Rosenbloom said. "You can kind ofpersonalize yours."

While "dictionary attacks" on students'passwords occur, the most common way passwords getout is when students share them, an act thatviolates FAS computer policy, Osterberg said.

Attention was drawn to the issue of networkmisuse last year when, Garrick Lau '98, the CEO ofOmicron Technologies Corporation, used his webpage to distribute computer software.

Over a 14 month time span, downloads from Lau'spage accounted for 12 percent of all datatransmitted over the server, drawing the ire ofnetwork administrators who said Lau was violatinga policy prohibiting commercial use of Harvard'snetwork.

Rules for use of the FAS network can be foundin the Handbook for Students.

Students have until Thursday, October 15 toreactivate their FAS accounts. Activation can bedone through a telnetbased program or through theweb sitehttp://www.fas.harvard.edu/computing/utilities/

Glassman added that he doesn't think there ismuch risk of people discovering his password nomatter how word-like it is.

"Even if my password is 'dog' the odds thatsomeone is going to guess that my password is'dog' are not that good," he said.

Julia M. Rosenbloom '01, who said she got all32 questions correct, chose her own passwordrather than taking one of the suggested ones.

"I guess [suggested ones are] not as easy toremember," Rosenbloom said. "You can kind ofpersonalize yours."

While "dictionary attacks" on students'passwords occur, the most common way passwords getout is when students share them, an act thatviolates FAS computer policy, Osterberg said.

Attention was drawn to the issue of networkmisuse last year when, Garrick Lau '98, the CEO ofOmicron Technologies Corporation, used his webpage to distribute computer software.

Over a 14 month time span, downloads from Lau'spage accounted for 12 percent of all datatransmitted over the server, drawing the ire ofnetwork administrators who said Lau was violatinga policy prohibiting commercial use of Harvard'snetwork.

Rules for use of the FAS network can be foundin the Handbook for Students.

Students have until Thursday, October 15 toreactivate their FAS accounts. Activation can bedone through a telnetbased program or through theweb sitehttp://www.fas.harvard.edu/computing/utilities/