Cornell's new password policy is 4NNoy1ng^10


So the whole law school thing is beginning to feel real finally. I went up to Ithaca this weekend and found this great little one bedroom apartment in a very convenient location on State - right next to a bus stop, actually. In fact, I've barely moved from where I was in undergrad; my landlord said his tenants do their laundry in the Valentine facilty because it's so convenient. I'm hyped about having my own place. For the first time I'm living with just me myself and I. No more roommates fussing about dirty dishes if I have a busy week. No more turning the TV volume way down low because the housemate is asleep. No more trying to get roommate permission if I want to have somebody come over. It's great!! And it's a partially furnished apartment; specifically there's a double bed which looks in pretty good shape. Since the bed was the most expensive piece of furniture (I'm dumping my current mattress in the trash on the way out - it was a freebie and isn't worth paying to move) I'm feeling pretty well set up. And the current tenant may be willing to part with his futon and coffee table cheap, I'm told, which would be great, since they are also fairly nice pieces.

I also went through the process of activating my net ID tonight. Cornell's done changed things quite a bit in the two years I've been gone. For instance, on-campus residences still have "free" internet access, but they are limited to 2 GB of traffic per month. And above that they bill you per MB. Ouch! I mean obviously they're trying to stop the trafficing of copyrighted material, which I can understand. Still, it seems like 2 GB is not that much . . . . even if you downloading a lot of illegal stuff. But I don't really know. Stuff on the cornell network, including email, is not included in that 2 GB.

In order to activate your netID you have to read through their policies, and take a little quiz at the end. Apparently Cornell owns their email infrastructure now, and they put out this spiel that they respect the rights of all individuals, but they also have to comply with the law, and while they will not monitor your traffic w/o reason, they also will not guaranty the privacy of whatever is on their system, including emails.

It was interesting though - you could tell that the policy probably had two main parties giving very vehement input about it: the laywers and the tech guys. Or at least their university equivalents. Because the whole 2 GB thing, and Cornell's other warnings, is clearly aimed at curbing pirating. However, there is another section of the policy that basically makes failing to adequately secure your computer as bad an offense as pirating things. I can understand the logic in that - failing to adequately protect against viruses endangers the whole network, not just one dumb user.

Still, I think they took the adequately securing your system thing one step too far with their new netID password policy. The rules are something as follows:

**Must include at least 3 of the 4 following things: Upper case, lowercase, symbol, number and be at least 8 characters long
**Must not have in any part of it your netID or ANY word which would appear in the dictionary
** simple L33T (or however you spell that) substitutions are insufficient.

They suggest taking the first letters of the words in a line from a poem and then mixing it up for instance. Now, while I grant that many people are not as secure as they should be w/ their tasswords, and that by adhering to the above rules it certainly seems like you would get pretty darn secure passwords, it seems a bit overboard. I mean, I had to type my password down in a file anyway, to make sure I could remember what it was after I set it! Now that's not particularly secure, is it?

And the simple l33t substitutions not working gets me too. As an example, I tried something similar to, oh, let's say "har3mRy&". And that was not secure enough. However when I changed the word to something like h4r3m&ry and that was okay. ("Harem" btw. I'm not fluent in l33t - I don't think that's even how you spell it actually it looks wrong.)

I mean, okay, so you can write computer programs to count on the leet substitutions I guess . . . but I was just thinking yeesh, if I had read this policy as a freshmen I think I would have been so intimidated I never would have touched a computer.

Anyway, I am very glad I'm not living on campus after all, because the whole 2GB thing really turns me off.