Alert – Please change your Email Password

Recently, we sent out an email asking all of our users to change their passwords.

It is important to change your e-mail password if it is older, or if you use it anyplace other than your e-mail account. Even if you do not use it other places, please consider changing it to something more secure. We have had several incidents this year where users’ email passwords have been cracked and used, not to access their emails, but to access the email server and use that access to send out spam, resulting in delays and disruption for all our users.

How to change your email password

  1. Log into your email via the Daily Data webmail interface here. (Clicking will result in that link opening in a new tab.)
  2. Click on the Settings button in the upper right corner- look for the blue icon of a gear.
  3. You will see three columns- two smaller columns to the left and a large one to the right. Click on Account, which is the lowest option in the leftmost column. Then click on Change Password, which will be second option in the center column.
  4. The right hand column will contain three fields for you to enter your current password and your new password, repeating the new password to make sure it is typed correctly. Please look at the information below if you are not sure what a good password to change to is.

What is a good password?

An excellent password is one that is randomly generated, 20+ characters long, and contains all the keys on a keyboard. However, that is overkill for e-mail, and extremely difficult to remember.

Perfectly good passwords can be a series of random words, separated by spaces, or a period, or something. If the words are random (ie, not a well-known sentence like “The quick brown fox jumped over the moon”), this provides sufficient “randomness” (called entropy in encryption) that it is very difficult for a bad guy/girl to figure it out.

A guy name Bart Busschots created a web site that does just this at https://xkpasswd.net/s/. If you use the XKCD preset (ie, press the button that says XKCD), then press the “Generate 3 Passwords” button below, it will randomly select 4 words in such a way as to create a strong password, but also one you can remember with relatively little effort.

Is my password already known?

The black hats (bad guys/girls who try to crack into systems) actually have lists on the Dark Web of known passwords from places they have cracked into in the past. Many people tend to reuse passwords. Hackers break into large consumer sites (such as eBay, LinkedIn, Marriot Hotels, Yahoo, Target, and Home Depot) to gain lists of emails owned by consumers and associated with passwords that may be reused elsewhere.

One way to safely check if your password is already known is to visit http://unixservertech.com/pwned/pwned.html. This uses a setup built by Troy Hunt who collects as many of these Dark Web lists, then puts them in a format that we can use to check a password without telling anyone what password we are checking (details on that page).

Can I reuse a password?

See above- you can, but please don’t. If you visit Troy Hunt’s site (https://haveibeenpwned.com/), he lists some of the more recent breaches in web sites. It is estimated 10 billion accounts have been pwned (owned by the bad guys, ie they know everything in the account). So, using the same password for more than one place is a Very Bad idea.

However, it is a total pain to try to remember these passwords. People end up keeping a text file, or spreadsheet, which they have to look up. Or, they tell their web browser to remember the password for them.

There are several programs available to take care of this problem. Some of them will create random passwords, all unlocked by one master password. Daily Data offers NextCloud’s web based password repository program, but there are others specifically for Apple, iPhones, Android, Windows and Unix that let you have even more control. Some will even allow you to click on a link to automatically (almost) log you in, yet every site has a different, very hard to guess password.