Passwords in the Orion system

Z HelpDesk
Czech version

Passwords are the most commonly used way to verify a user’s identity (authentication). The functioning is simple: whoever proves to know the password for the appropriate Username is automatically deemed to be the legitimate user by the computer. A password is the only link between a real person (e.g. Anna Nováková) and the corresponding electronic identity (e.g. civenka Orion account); and due care must be paid to the password.

Hesla-ilustrace-01eng.png

Password ...

Most of the IT services of UWB (Webmail, Portal, Courseware, etc.) and the components of the Orion computing environment (e.g. computer classrooms) use a central system to verify a user's identity using a password that is provided by Kerberos Service. For an ordinary user, this means that the user has one username and one password, which work "everywhere". We also often talk about “Orion accounts” and “Orion passwords” or “Kerberos passwords”.

Such a system is advantageous, on the one hand, because you do not have to remember another user name and password for each system, but, on the other hand, there is a greater chance of possible harm, if someone gets the password and abuses it (borrowing library books, "eating" money in the canteen , Check-in/Check-out for tests , abuse of an account for unethical activities, etc.). Therefore, it is important to carefully choose a password and keep it secret. It is necessary to choose a password and use it in order to ensure a reasonable balance between the level of security and a user’s convenience. For this reason, certain rules regarding passwords have been introduced at UWB.

... what password should I choose?

Hesla-ilustrace-02eng.png

The first step is to choose a “strong” password, i.e. such a password that makes it as difficult as possible to “guess” the password by testing different options. An attacker is able, in a very short time, to try many different combinations, so too simple or short passwords do not stand up.

Basic rules that UWB passwords have to meet:

  • Minimal length is 8 signs.
  • The password contains at least two different groups of signs. There are four groups of signs altogether: capital letters, small letters, numbers and other signs (point, comma, colon, etc.).

Meeting these conditions excludes the use of really feable passwords; it is, however, important to avoid other passwords that are easy to guess. For instance, the password Civenka90 meets the conditions, but it is still very easy to guess. An ideal password is the most accidental sequence of signs possible, which has no connection to the user. In no case use names, dates, geographical names and such like related to you. Especially in this era of social networks, it is very easy to find out a lot of information about you and, based on this, try out large numbers of possible passwords.

But how can you create a seemingly "pointless" sequence of signs which, at the same time, you can remember? Using a so-called passphrase, which is a sentence or a short text, based on which you can create a password. Like:

Sentence:

99 percent of Erasmus students agree, that the Czech beer is the best!

Password:

99poEsa,ttCbitb!

Thanks to the passphrase, it is not a problem to remember such a password, but it is also virtually impossible for an attacker to break it through brute force, unless the user reveals it to the attacker.

Tip: When creating a password, if possible, avoid signs that are dependent on the keybord setup: foe example z/y, accented letters, and various exotic signs. Given that different devices may have different settings (e.g. when entering the password on Orion stations, the keyboard is set to English). Such signs are often a big problem when attempting to log on.

... how often should I change it?

Another problem also is that the longer the same password is used, the more likely it is that someone finds it during that time - someone notices it, break or the like. Therefore, it is necessary to change the password well thought out once in a while. UWB following mechanism was therefore introduced:

  • It is necessary to change the password every six months; it is not permitted to reuse the last five passwords used.
  • After this time, warning emails start coming to the user, drawing attention to the fact that the password change is required. These emails come at given intervals for an additional two months. During this time, the user's account is fully operational.
  • If the password is not changed within 8 months (6 months validity + 2 months for change), the user's account is locked. So you can not use it to log in anywhere (Webmail, Portal, Orion station ...); only receiving or forwarding of incoming e-mail functions. However, over a further period of 4 months, it is possible to change the password in a standard manner: thus the account is automatically re-enabled and can still be used.
  • In the event that you don't change the password within 12 months (6 months validity + 2 months for change + 4 months to change it in the blocked account), you will not be able to change your password any more; your personal visit to the HelpDesk centre will be needed.

... how should I protect myself?

In the environment of UWB, the password is the only thing that protects your electronic identity from misuse. The consequences of misuse of your password can be extensive: an attacker can reconfigure sending your scholarship to their bank account, change your personal information, register or cancel your test data and courses, write e-mails in your name, use your identity for illegal activities through wireless connections, etc. You are, however, personally responsible for the security of your electronic identity; blame for any such activity may therefore, as a result, fall on you and not the attacker. For this reason:

Hesla-ilustrace-03eng.png
  • Never tell anyone your password.
  • Really, NEVER TELL ANYONE YOUR PASSWORD. Don’t “lend” your user’s account to friends, classmates or colleagues, do not say the password out loud, do not respond to calls to tell someone your password. Nobody, not even the staff of the CIV department, knows nor has the right to know your password.
  • Remember the password, do not write it down. Do not write it on pieces of paper, into electronic documents, notes in the phone, emails, etc. If you need to write it down or save it, use one of the available applications or services to manage passwords such as Keepass.
  • If you log in on public or someone else's equipment, make sure, consistently, thet you log out after finishing work and never leave the password stored anywhere.
  • Be careful when entering a password. Check that nobody is watching you when you type your password, do not enter a password on devices on which you suspect a virus infection, be attentive to suspicious changes to the hardware of publicly available workstations.
  • If you have the slightest suspicion that someone other than you knows your password, change it immediately. If you think someone is trying to get your password by attacks or by deceit, immediately contact the HelpDesk.

How to set or change the password

If the Orion system is forcing you to change your password, or you want to change it yourself, you have several options to achieve this.

Using the web interface

Webpage used to change the password. Allways make sure the address is correct and secured https protocol is in use!

If you know your old password, and more than 12 months have elapsed since the last change of password, you can change your password on the Web page heslo.zcu.cz, where you type your username, your old password and a new password twice . If you are already logged in, you only enter the new password twice. The change will take place within 5 minutes. If a password change fails, it is possible that you have made one of these errors:

  • The new password is too short. = Enter a password containing at least 8 signs.
  • The new password does not have enough groups of signs. = Enter a password containing at least two groups of signs.
  • The new password was used previously. = Enter a completely new password.


Using a terminal under OS Unix/Linux

In the Unix/Linux environment (e.g. in computer labs): with the help of the program passwd. If you are using a Unix/Linux workstation that includes standard passwd, use kpasswd (Kerberos-passwd).

$ passwd
Password for dobrota@ZCU.CZ: My.Old.Password,23
Enter new password: COMpletely,NewPassW0rD42
Enter it again: COMpletely,NewPassW0rD42

Using a terminal server

In case you want to change your password via the Unix/Linux terminal and do not want to use an operating system supported by the CIV Department (Orion Linux), then log in using ssh (ssh on Unix, or Putty on MS Windows) to servers eryx.zcu.cz or satyr.zcu.cz and change your password there following the above-mentioned instructions.

ssh eryx.zcu.cz
Password for dobrota@ZCU.CZ: Moje.Stare.Heslo,23
Last login: Thu Jun 24 16:03:38 2004 from toy.zcu.cz on pts/8
Last login: Thu Jun 24 16:03:38 2004 from toy.zcu.cz
Welcome to University of West Bohemia
Project ORION
Please, use command 'news' to read system news ( 4 items ).
---------------------------------------------------
Quota      Used    % Used     Partition
home    100000     35039        35%           19%
---------------------------------------------------
eryx1> passwd
Password for dobrota@ZCU.CZ: Moje.Stare.Heslo,23
Enter new password: Upln,EnOveHeslo42
Enter it again: Upln,EnOveHeslo42

When you fail to log in

If you, for any reason, fail to log in,

  • check whether you really are entering the correct password:
    • make sure you do not enter the original password soon after a change,
    • you do not have the keyboard changed over to another language,
    • you have your fingers on the right keys
    • ...
  • If you are still unable to log in, please contact HelpDesk and ask if there is a problem with your account and how to proceed. It's possible that:
    • your password has expired,
    • you're no longer an employee/student of UWB
    • your account is blocked for a serious security incident.

Forgotten Password

If you have forgotten your old password, contact the HelpDesk. A new temporary password will be issued during a personal visit or by making a password change over the phone. Use the temporary password as soon as possible to set up a new password.

Personal visit to the HelpDesk

During a personal visit during working hours, operators on the HELPS service can restore your forgotten or nonfunctional password, reactivate your account blocked due to the expiration of a twelve month period for changing the password, or help solve other problems with your user account. Always keep with you some identity document, ideally your JIS card; otherwise it will not be possible to perform password resets nor any further operations with your user account. In order to have a friend, colleague, family member or any other representative pick up your new password, it is necessary to provide them with an unverified power of attorney.

Changing the password over the phone

If you do not want to/cannot come in person, you can use the password change service over the phone. It is necessary to enable this service in advance and enter your phone number to the appropriate UWB Portal page appropriate UWB Portal page. We highly recommend that you do so as soon as possible; when you are on a study stay on another continent and you've just found out that you have forgotten your password, it is already too late. Changing the password over the phone works as follows:

  • Prepare your JIS Card and your Birth Number.
  • Call HelpDesk: +420 377 638 888 during the working hours. The operator will immediately call you back to a pre-specified number.
  • The operator will verify your identity by asking for selected numbers of your Birth Number and the ID of the JIS card.
  • The operator will give you a temporary password; you will use it to log in and set a new password (through web heslo.zcu.cz).

Frequently Asked Questions

  1. I'm sure that I am entering the correct password, but I still cannot log in. What should I do?
    • Make sure you are not entering an older password, a password specified for another service or environment, that you have not reconfigured the keyboard language and the like. Try to change your password in case the original password has already expired. If you cannot solve the problem, contact the HelpDesk.
  2. I need to reset my password, but I cannot come in person. I have not activated the password change service over the phone. Will you send me a new password via email, SMS, a letter...?
    • No. We really won’t: our security policies prohibit the transfer or change of passwords without a personal user’s authentication or authentication of the user over the telephone. Do not ask our operators for this service; they cannot satisfy you. You can resolve the situation by sending your representative with an unverified power of attorney. You can completely avoid such a situation by a timely change of the password activated over the phone.
  3. I do not use the university email account. How could I have known that I had to change my password?
    • Your duty is to follow the university email account. This obligation arises from the Statutes of UWB (Article 39, Section 3 and 4). The University email box is considered the official channel of communication; each employee and student is obliged to follow and use it for official communication with UWB. Messages sent to it are automatically considered received by the addressee.
  4. Are HelpDesk employees or other members of the CIV staff able to see my current password? May they get it somehow?
    • No, account passwords are stored in a way, which makes them technically impossible to access and therefore even our employees can't access them, no matter their work position or level of expertise.
  5. Your policy regarding passwords is bad: I do not want to change my password, I want to use a shorter and simpler password...
    • Thank you for your opinion, but our rules are set up to offer a reasonable level of security with the least possible reduction in the comfort of our users. If you feel that our policy is too hard, we advise you to read it again and try to understand the consequences that a theft of your electronic identity can have. If you want to discuss more about it, feel free to contact us.