Students Must Change E-Mail Passwords in Sept.

It may be crafty, creative and concise, but even the best password has a security shelf-life.

And out of concern over the security of e-mail, administrators are requiring that all e-mail users discard their current account password at 9 a.m. on Sept. 23.

Rick Osterberg '96, coordinator for Residential Computing, said the new policy will strengthen e-mail security.

"It gives individuals with malicious intent a step up," Osterberg said. "If you don't change your password in three years, you're a weak link in the security chain."

From drifters who log onto accounts that are left open when users fail to log out at public terminals-such as those in the Science Center-to hackers who continually test the system for quick ins, Osterberg said the pitfalls of just one user's compromising a password can snowball into major security concerns.

Dean of the College Harry R. Lewis '68 said that, if nothing else, students should change their passwords frequently to maintain the assurance of a secure system.

"The passwords issued to new students should be changed just to increase confidence that no one knows the password," he said in an e-mail yesterday.

The Harvard University e-mail system serves 18,000 users. Currently, not all students are required to provide personal information when they create an account.

But the new password policy will require users who log on after September 23 to provide their name, Harvard ID and date of birth.

"We're hoping this will not only increase security, but also help get rid of delinquent accounts," Osterberg said.

While Lewis called it "computer hygeine," for some, the new regime may mean messy problems.

Since the e-mail system on campus relies on several underlying systems, Osterberg said changing passwords en masse was impossible until now.

"We can make it happen in a way that won't disrupt people too much," Osterberg said. "We just want to make sure it becomes standard procedure."

But the system is still unable to verify a new password without the required personal identification. Those who did not provide it when they established an account will have to do so through HASCS.

Osterberg said he devoted a team of about 10 computer staff members to the "non-trivial project" of designing the new online password-changing system this summer.