Passwords

UCAS passwords | Changing passwords | Known problems

UCAS passwords

UCAR Central Authentication Server (UCAS) Passwords are necessary to access some internal UCAR systems, but not for accessing the NCAR supercomputers and other resources that CISL manages.

Authorized personnel can request UCAS Passwords for users via the Admin tab in the UCAR People Search portal. If you already have an authentication token (a YubiKey token or a CRYPTOCard keypad), you can create or reset your own UCAS Password at https://kcreate.ucar.edu. You will be assigned a temporary passphrase, which you will then change at https://kpasswd.ucar.edu.

A strong password is the first line of defense for an individual computer user's account. This document provides the information you need to help keep your account and NCAR computers secure.

Good passwords should:

  • Be memorized
  • Be at least nine (9) characters long (longer is stronger)
  • Contain both upper-case and lower-case characters
  • Contain numbers
  • Contain other keyboard characters such as !, *, and @.

Good passwords do not contain:

  • A dictionary word in any language
  • Personally identifiable information such as a name, a login name, part of an email address, a phone number, a date of birth, a license plate, a Social Security number, or similar data
  • Any of the above spelled backwards
  • Any of the above with numbers exchanged for letters or vice versa
  • Any of the above with numbers or special characters appended or prepended

For example, the following are equally ineffective:

  • hello
  • 43110
  • HeLlO
  • olleh
  • hello!
  • ?hello?

Hackers are well aware of all these tricks and can easily break such passwords.

You can create a strong and memorable password—or passphrase—by building a phrase or sentence that is known only to you and using multiple words and both upper- and lower-case letters, with numbers and symbols. Longer is stronger. Many people find it easier to remember shocking nonsense phrases that they would never say aloud than to remember shorter acronyms.

Here are two non-shocking examples:

!D0lLaRb1ls*
!D0llarbi11sinmywa11et!

Note 1: Since the passwords shown here are in a public document, do not use any of them for your personal password.

Note 2: We avoided blanks and single quotes in the above passphrases because those two characters cause problems on some systems.

Keep your passphrase private. Do not share it with anyone. Do not write it down where it can be found by others or identified as your passphrase for UCAR. If you find it absolutely necessary to write something down, do not write the phrase itself, but rather a hint that will remind only you of the passphrase. Do this on a card with no other information about where it applies, in case the card is stolen, and keep it safe. Good places are in a wallet or fireproof home safe.


Changing passwords

How do I change my password or passphrase?

The safest place to change your passphrase is on your UCAR workstation if you have one, or on the first UCAR host you normally log into.

If necessary, you can change your password on a central UCAR Kerberos familiarization host or web site.

I use a command line host as my workstation or as the first UCAR host I log into

To change your password on a UCAR command line host, you will run either of the following commands:

kpasswd
passwd -K

It will ask you for your old password, request the new one, and finally ask you to confirm the new one to avoid potential problems caused by typos.

If you are asked on a UCAR host for the old password for username@CIT.UCAR.EDU, username@MIT.EDU, or some other realm instead of UCAR.EDU, you can start over and specify UCAR this way: kpasswd username@UCAR.EDU.

If you are connecting from outside UCAR, or you do not know which of your division's hosts to use for the password change, you can ssh to our familiarization and password change system, kpasswd-ssh.ucar.edu. This replaces the old password.ucar.edu system formerly used for the same purpose.

Fingerprints
These are the ssh key fingerprints for kpasswd-ssh.ucar.edu, for use when you connect from a host that does not have a copy of the canonical UCAR ssh known hosts file:

1024 5a:15:e6:01:53:26:fc:46:3f:89:04:d6:20:0c:0d:d3 (DSA)
2048 8b:00:7a:98:ed:1b:e3:32:cd:09:eb:ba:f8:a9:e0:d3 (RSA)

 

I use a Mac on the UCAR LAN as my workstation

The easiest way is to run the Kerberos (Mac OS X 10.5) or Ticket Viewer (Mac OS X 10.6) applications your sysadmins may have made visible for you. It will ask you for your old password, request the new one, and finally ask you to confirm the new one to avoid potential problems caused by typos.

Otherwise, run the Terminal application, use it to log in to your normal divisional command line host or passwd.ucar.edu, and follow the command line host instructions above.

I use MS Windows on the UCAR LAN as my workstation

The easiest way is to run the Network Identity Manager or Leash application your sysadmins may have installed for you. Click on the password change button, or select the password change menu item. It will ask you for your old password, request the new one, and finally request you confirm the new one to avoid potential problems caused by typos.

Otherwise, run your ssh client (typically putty.exe or VanDyke Secure CRT), use it to log in to your normal divisional command line host or kpasswd.ucar.edu, and follow the command line host instructions above.

I use a web browser

If you do not have the ability to change your passphrase on your workstation or on a system you normally log in to, then you should use the https://kpasswd.ucar.edu/ web form to change your passphrase.

How do I log in?

Your UCAS Password login will continue to work in the same places as before. You'll just use the new UCAS Password you set or received in place of your old one.

The first time you use your password after creating or resetting it, you will need to change it to one that only you know.

I've forgotten my password. How do I reset it?

If you ever need or want to reset your password, and you have a UCAS token (a CRYPTOCard or Yubikey issued by UCAR), you can visit https://kreset.ucar.edu/ at any time, without having to wait.

If you do not have a UCAS token, you should contact your group's help desk or sysadmins for an assisted reset.

How do I take full advantage of Kerberos?

I use a command line host

After you authenticate and get your master ticket, Kerberos V uses secure service tickets to transparently log you in to additional resources. You should be aware of just four basic commands.

kinit
Start with this one. This is the command you use to authenticate and get your initial ticket. It is often called transparently by your login dialog box, your screen saver unlock, and the like.

kpasswd
This is the command you use to change your passphrase. (Some systems use passwd -K for the same job.) It is sometimes called transparently for you by kinit when your passphrase has expired.

klist
This is the command you use to list your tickets. You'll see your master Ticket Granting Ticket, and perhaps other service tickets for LDAP, ftp, and the like for resources Kerberos has transparently logged you in to use.

kdestroy
This is the command you use to remove your tickets when you're done with them. They'll expire on their own, but if you're finished for the day, it's a good idea to nuke them early. It is often called transparently when you log out from a system.

I use a Mac OS workstation

Run the Kerberos (Mac OS X 10.6) or Ticket Viewer (Mac OS X 10.6) application your sysadmins may have made visible to you. You can use this application to manage your Kerberos tickets use for login to Kerberized UCAR services.

I use an MS Windows workstation

Run the Network Identity Manager or Leash application your sysadmins may have installed for you. You can use this application to manage your Kerberos tickets, and cause them to be made available for login to Kerberized UCAR services.


Known problems

Some systems and web applications are prone to login failures if certain characters are used in passwords or passphrases.

Problem characters include:

  • single quote marks,
  • trailing spaces,
  • colons.

The simplest solution is to avoid using these when you create a password or passphrase.