After Jan. 1, SF State passwords will be replacing personal access codes to add more identity verification, says a member of the Division of Information Technology.

“PACs are a weak authentication mechanism,” said Mig Hofmann, DoIT information security officer. Hofmann said there have been a couple incidents where someone successfully guessed a student’s PAC and gained unauthorized access.

As a result of a 2007 audit findings within the CSU, “we agreed to migrate away from use of the PAC to stronger mechanisms,” Hofmann said.

Hofmann added that the four-digit PAC was considered too short and subject to brute force attacks which could be determined “by doing exhaustive searches and guessing,” she said.

“If a password is under seven characters, it is theoretically breakable given computing power today,” Hofmann said. “Passwords of at least seven characters have been the industry standard.”

The Red Flag Rule, issued by the Federal Trade Commission applicable to many colleges and universities, also required greater effort to verify individual identity and prevent identity theft.

Frequently asked questions about the new passwords will be posted to the school’s Web site.

According to the FAQ, “although other enhanced authentication methods exist in the industry, they usually involve tokens [key fobs, smartcards, etc.] which were deemed too expensive to deploy given the current budget crisis.”

Instead, self-service reset questions were created to help verify identity Hofmann said. Reset questions are not going to be a student’s new password.

Instead, the questions will be used as a response to help verify identity and that the actual password will be eight characters long.

A campus committee chose questions that they thought would be suitable for the student and faculty population. The recent set of questions was modified again recently to be questions that don’t change or decay as rapidly, Hofmann said.

According to Hofmann, favorites are predominantly used in reset questions because they are highly memorable, like preferences.

However, some questions had a high change rate, increasing the probability that a user would forget the answer.

One example was the favorite movie question. People who watch a lot of movies will likely have a fluctuating answer, she said.

“You want questions that are very stable over a person’s lifetime,” she said.

Hofmann said that a lot of the questions are based on favorites centering around one’s childhood because that is when preferences are strongly formed.

The SF State Web site’s FAQ suggests picking questions that students have a unique response for and won’t post on Facebook or Myspace for example.

Students have mixed reactions toward the shift.

“I’d rather just use what I always use,” said SF State junior, Janet Perez. Perez said she was sent a new PAC when she forgot her original one. “It’s worked fine for two years now.”

“It seems like a pretty easy fix,” said fellow student Drew Valentine. “I would hate it if someone dropped one of my classes for me.”