Password managment with Kerberos

Beginning from 7/1/2002, a new log-in procedure is running in the HP-Pool (UNIX). Instead of past uncertain NIS-Servers, a Kerberos server is activated. First, the user recognizes nothing, because the past NIS passwords are taken over for a short transition period for the Kerberos server. These are the first passwords for the Kerberos server. After the transfer the user receives a mail. He is asked to modify the password.

There is only one password for all services of the Computer Center.

Das Passwort darf nur auf WWW-Seiten des RZ eingegeben oder zu deren Servern geschickt werden. Insbesondere die Weitergabe an Dritte ist gemäß Benutzerordnung nicht gestattet! Auch das Hinterlegen des Passwortes für sog. E-Mail Sammeldienste stellt eine Weitergabe dar und ist nicht gestattet.
Eine Liste der unterstützen Dienste des RZ bei denen Sie Ihr Passwort verwenden dürfen finden Sie hier.

Password are getting old. Everytime you use your password, there is a probability that the password will get into the wrong hands.There different ways how that can happen, here are some examples:

• someone looks on your keyboard while your are typing the password
• you saved your password in your email client and if you give your computer away, forget to delete the password
• a virus on your computer saves your password while you enter it
• you have entered your password in the wrong place (e.g. user id field) and now the password will be saved to the log file or send by mail
• someone was able to listen to the communication between your pc and the mail server

Over time this will result in an insecure password, which will be known to more people than you like.

The WWW-Interface to use our Password Change Service you can find in the following url:

You can use the Inteface for the following tasks:

• change you current password
• place a mobile phone number, to easily change your password in case you forgot your password
• to recieve a new initial password to the previous given mobile number, in case you forgot your password. The initial password needs to be changed afterwards.

If your password run out you can change it by your own, see change Password. If you have forgotten your password and you did not save your mobile number on our server, you need to write an email to the Service Desk with a copy of your ID, and the expressed wish to reset your password or you can visit the User Service Center (please bring your ID).

After the password expires you are no longer able to recieve or send email, upload files to your homepage or work on the WWW-Servers.

Of cource you can change your password if your password expired. You could use the WWW-Interface to change your password https://ps.tuhh.de/cgi-bin/passwd?page=1&lang=en.

After you change your password you immediately are abel to use our services again.

Using https://ps.tuhh.de/cgi-bin/passwd there are the following enforced requirements for your password:

• The password is not allowed to contain your account name or part of your name.
• It has to be at least 12 characters long and not longer than 20.
• It must contain at least one character three of the following character classes:

- upper case characters: A-Z
- lower case characters: a-z
- numbers: 0-9
- these additonal characters: !#$%()*+,-./:;<=>?@[]_{}

Computers become more efficient. The speed of operation, with which passwords will be detected, increase constantly. With Kerberos, it is no more as easy as it was with the previous system, to get the password information of the entire pool, and to use then at home - or with another computer - to detect all passwords. Nevertheless it is possible also with Kerberos to detect passwords, if someone gets Kerberos-internal information. Detecting of passwords becomes more difficult when a password is longer. We decided us for 10 characters.

With 10 characters you can form a small sentence quite well and separate the words by special characters or by capitalization and lower-case. It is possible to write down your password, if you protect your notes well against the access from others. This is simple to reach, if you keep the note in your purse.

Statt an den bisherigen unsicheren NIS-Server werden die Rechner an den vorhandenen Kerberos -Server angeschlossen. Die meisten Benutzer merken davon zunächst nichts, da ihre bisherigen NIS-Passworte für eine kurze Übergangszeit als Anfangspassworte des Kerberos-Servers übernommen werden.

For further questions please contact the User Service Center, E-Mail: servicedesk(at)tuhh(dot)de

• Access control for TUHH websites using the TUHH useraccount and password
  
• Connecting a Windows Domain to the Kerberos server
• Login per kerberos ticket