Sample Module- Identity, your UTEID, and the truth about passwords.
In order to enroll for this course, you have to go through some steps that may seem silly in order to get an upgraded UTEID. Most incoming UT freshmen do this as a part of orientation, but in order to take this course, you have to do this before the course starts. Why?
This module will briefly discuss the concept of identity, a topic of ever-increasing importance in our digital world, and especially important at a digital university. It will present a number of current issues with identity, and unfortunately offer solutions to none of them. Your presence here at UT, your college education, will hopefully help you contribute to solving the problems created by the generations before you. Don't worry, there are plenty of them.
Next, we'll take a close look at your UT Electronic Identity (UTEID). We'll cover how to upgrade your UTEID, how to keep it secure, and why you should never share it with anyone.
Then, we’ll discuss passwords. You may be shocked to discover the truth about what makes a password strong, and hopefully we can teach you a new trick to make dealing with passwords a little easier. Finally, we’ll take a look at password managers, and why currently they may be the best solution.
By the conclusion of this module, you will be able to:
Understand the concept of identity, both physical and digital, and the problems we face in an increasingly networked world.
Upgrade your UTEID, and use it for a variety of purposes.
Have a very basic understanding of password history, entropy, and the latest information about creating, remembering, and using passwords.
Know what a password manager is, and how to use a free one.
In order to successfully complete this module, you must complete the following learning assessments (in addition to reading all of the required readings, main text, and video content for this module):
Quiz: Identity, your UTEID, and the truth about passwords.
Group Discussion: Thinking Critically about your Identity
Initial post due Sunday at 11:59 pm
Responses (two minimum) due Wednesday at 11:59 pm
Some modules may also introduce individual graded projects.
When you first applied for admission to The University of Texas, you created a UTEID, your UT Electronic IDentity. However, there has not been a single time during that process where you actually had to prove your identity, that the person filling out all those forms and sending in all that information was really you. Identity, "the fact of being who or what a person or thing is" is critical in the physical world. When you get a driver’s license or passport, you are fingerprinted, and both have your picture and your signature attached to them. These verify your identity in front of a third party, by supplying information that is unique to you - your image, fingerprint, and handwriting on a legal document.
What about the digital world? How can you be identified as actually being who you really are in the digital world? Not easily. In fact, using your verifiable personal information online as your digital identity can cause all manner of problems, including identity theft. When you consider that new college students are a prime target for credit card companies and young adults often get credit cards when they go to college, problems can arise very quickly. When you couple all of this with the fact that companies such as Facebook and credit-reporting agencies like Equifax have lost the personal identity information of millions of Americans to hackers, you can easily understand why many people have given up the security of their digital identity for lost.
In an increasingly networked world, being able to tell that a person's online identity is "real" is quite difficult and can be impossible. Identity "proofing" of a digital identity is necessary in order to establish that a person is actually who they claim to be. Without identity proofing of some kind, a digital identity can be established by anyone, or even thousands of identities for a single person. Issues about identity, and identity proofing, being able to verify that a person in the flesh matches a digital identity online, are becoming increasingly important, and the lack of identity proofing has become increasingly problematic.
In this course, we are going to start with one very important part of your identity, both physical and virtual, and discuss it in depth. Your UTEID will become a critical part of your academic life at UT.
Most UT students get their UTEID in an email after they apply to UT online. When students come to campus for orientation, they will get a physical UTID card with their photograph, and their UTEID will be "upgraded". This is identity proofing, where your identity is proven to the University with a photo ID and other documentation. This process also “upgrades” your UTEID, meaning your physical identity has been proven to match your UTEID digital identity. In order to take this course through University Extension in the summer before you come to UT for your orientation, you will have to upgrade your UTEID remotely if you don't live in Austin.
Identity proofing is not a new thing, it has been around for centuries. Early civilizations in ancient Egypt originated “sesh” or scribes to record important events and transactions, and for identifying individuals involved in such transactions. The role of the sesh eventually evolved into the Notary Public, a public officer constituted by law to serve the public in non-contentious matters. Upgrading your UTEID remotely involves signing a document in the presence of a Notary Public, who will verify your identity from a photo ID, usually your driver’s license, if you have turned 18. If you are younger than 18, a parent will have to accompany you as well. You can find more details on upgrading your UTEID remotely here.
Once you have proven your identity, and upgraded your UTEID, you can access Canvas, the learning management system (LMS) used at UT. You will be able to access your grades online, and once you are on campus, you will use your UTEID to access the campus wireless network.
What you should never do, ever, is share your UTEID password. To keep your UTEID secure, you need a strong password. Let's look at how to create one, after we learn a little more history around defining a "strong" password.
The truth about passwords
Passwords are a pain. Have you ever thought about why that is? In 2003, Bill Burr was working at the US Department of Commerce in the National Institute of Standards and Technology (NIST). He was responsible for authoring the password section of 800-63, Appendix A, Electronic Authentication Guidelines. Published in June of 2004, the recommendations in this publication were widely adopted by businesses, universities, and government agencies. You know these all too well - change your password every 90 days, use a mixture of upper and lowercase letters mixed with numbers and symbols, basically creating something you can't remember very well. Many pe0ple ju5t substitut3d numbers for letter$ and symb0ls. It's painful to remember. Since 2004, the Internet has grown, a lot. The average adult in the US in 2017 has 27 passwords. It's a huge mess, a security nightmare, and it continues to persist today. Why?
Buried inside of 800-63, Appendix A, were the seeds of a better way, grounded in the information theory concept of entropy, which at a very basic level here is a measure of randomness or unpredictability. A "passphrase", a series of words longer than the 8 characters required of most passwords might be something "many people may prefer".
By 2011, the pain of passwords was widespread with the rapid growth of the Internet. In August, a cartoon appeared that became quite influential in the debate about password security and human users.
So, in essence, this is a story in which one human being ended up standardizing something having little to do with information theory, and ended up making millions of human beings absolutely miserable, and costing untold millions in lost productivity and time. Ouch.
By 2017, Bill Burr had retired from the NIST, and the agency had been working on revisions for some time. The “Wall Street Journal” interviewed him about the new guidelines in August, and the interview was republished widely. Four random common words, (but not these four because they are pretty famous now) “correct horse battery staple,” is a much better password than a jumbled up mess of letters, cases, and characters. Plus, don't change your password, unless you suspect it has been compromised in a security breach. You’ll learn more about cybersecurity later in this course, an increasingly important subject in today’s world. Even the Girl Scouts are getting savvy about this area of technology. Now, let's hear directly from Bill Burr about his viewpoint change on passwords…
So, are the decades of password pain finally over? Are actual human beings finally being taken into consideration where the use of networked computers is concerned? Can I finally just remember my 4 dogs names, Fret, Indy, Doob and Opal, and think FIDO to remember my bank account password? Alas, not quite yet. There are millions of computer systems around the globe, the majority of which use password authentication services built upon guidelines used in the 1980's through the NIST guidelines published in 2004. Many system administrators spend a significant part of their jobs resetting passwords, and dealing with password issues. Change will come slowly, but perhaps if more people complain, and more people know the truth about passwords, life will get better!
Choosing your UTEID password
If you take this course, and we hope you do, you send in a notarized form to prove your identity to the University ID Center. Your UTEID will then be upgraded, and you can access the Canvas course pages.
You might be asked to change your UTEID password. If you cannot easily remember your UTEID password, you might choose to change it. You can go to the UTEID Self-Service Tools page, and select Change my Password. Here is where paradise ends.
At the time this was written (World Password Day, May 5th 2018, which is the day after World Star Wars Day, May the 4th be with you), The University of Texas was in the process of finalizing a new password policy that observes the new NIST password guidelines to a large degree. With a tentative implementation date of mid-July 2018, the draft version of the new UT policy would increase the number of required characters from 8 to 12, but relax the policy on dictionary words. It could still require the use of at least two character sets, letters, numbers and symbols, and the reasons given for this have to do with a large increase in entropy with the use of a second character set.
So, fretindydoobopal may be easy to remember using the acronym FIDO, but that is a single character set. Adding a number, or a number and a character as a prefix to FIDO currently allows access into Chase Banking computer systems, so 1&fretindydoobopal will work for a very secure Chase banking password (Do NOT use this password), but what about a UTEID? Under the current system, this password is rejected based upon the word “doob”. Not fret, which is a part of a stringed instrument, not indy, short for Indianapolis 500, not opal, which is a stone, but “doob”? The Hindi name for Bermuda grass?
Now what? While there is a very good chance UT will change the UTEID password requirements soon, that’s just one good secure password. What about the other 26? How do you remember them all? Most of us don’t - we re-use passwords for multiple accounts, so if someone got your Facebook password, they might also have your banking password and your UTEID. How do we prevent this?
For most people, the best answer could be a password manager.
Password Managers are computer programs or web browser plug-ins that work between your computer or device, and a cloud-based computer that stores your passwords in an encrypted format. The program creates a unique encryption key on your computer, and you create a single master password. As you connect to things that require a username and password, the password manager will encrypt this information, and save it on your computer and your account on the cloud-based server. Password managers will save credit card and other personal information in an encrypted format, and will also generate strong, random passwords for you to use with each account. The company storing your managed passwords usually cannot read them because they are encrypted using your local machine, and your master password. Some of these password managers are free, some require a small monthly payment to access more features.
While data breaches of computer systems continue to increase, In many of these cases, attackers can sometimes access password information. Password managers encrypt your data before it leaves your computer, so attackers have very little chance to actually steal your passwords, since they are encrypted. More dangerous has been the interaction between the browser, the password manager plug-in, and the user. Clever social engineering can cause people to do all manner of things, including visit malicious websites that could lead you to reveal your master password. If you use a password manager, it’s important to keep anti-virus and anti-malware software updated, along with your operating system. The argument behind using a password manager is that they are much more likely to use truly random passwords for each account, and the security added by this alone is worth the small risk of using a password manager.
Browser Password Managers
All modern web browsers will offer to save your passwords for you, and most will sync across devices as well. A more flexible solution is a stand-alone password manager, which often offer more features than a browser password manager. The weak link in any password manager is the master password that protects all of your passwords, and stand-alone password managers often offer better security and follow the latest guidelines for master passwords.
LastPass is one example of a free password manager, but few things are truly free. LastPass uses a “freemium” business model, you get basic services for free, but have to pay extra for the premium services. What’s a bit worse about this particular model is you start out with a Premium trial version where you can use all the features for 30 days, and then they remove some of them unless you pay for the Premium features. We’re going to show you how to install and use LastPass Free below, but first let’s examine the weakest link in the password manager chain, the master password. LastPass has a great page on how to make a stronger password that was updated on 3/15/2018, and they have clearly read the new NIST guidelines.They recommend a 20 to 30 character random passphrase, with both words and characters, and we will try our FIDO acronym without the prefix to see if it works. Keep in mind that LastPass also works on mobile devices, and will integrate with fingerprint readers. While it may seem like a pain to type a long passphrase, with a password manager, you usually do this only a few times compared to having 27 unique passwords to remember. We’ll be looking at what services LastPass Free can actually provide.
Introduction to LastPass