Network Security Preparing
for Change and Helping Us Protect Your Privacy Online
online security breaches at large universities (fortunately not at
Penn) underscore once again the critical role of passwords and other
personal identifiers in securing online information. While the
University can ensure that the strongest possible security
technologies are in place, those of us who use Penn systems must be
aware of how our decisions and behaviors affect the security of our
own personal information as well as the University's online
environment. Adhering to sound security practices is always
important, and the opportunity exists now as additional system
security is being implemented and a new authentication system is
being introduced to refresh our own practices. The security
initiatives now being introduced are yet another step in Penn's
commitment to protect personal information, as outlined in the Task
Force on Privacy of Personal Information, chaired by Professor
Gerald Porter. The Task Force's report (Almanac,
April 17, 2001) reminded us that while the University has made
extraordinary progress in improving physical safety, similar efforts
must be extended to protecting the University community from
fraudulent activities online.
article in the July
16, 2002 issue of Almanac outlined in some detail
the security changes coming this fall. In the background, an
authentication technology known as Kerberos is being phased in on
many electronic services. In a fully Kerberized environment,
where all campus services take advantage of Kerberos, passwords
would never be transmitted across the network, even in encrypted
form, and users would sign in only once a day to perform
technology-based activities on the various systems they were
authorized to access, such as email, GRAM, or Penn InTouch.
Not all the user
and server software we use today can, however, take advantage of
Kerberos now. Indeed, this fall‰s initial implementation of
Kerberos is largely laying the foundation for the future. Some
optional Kerberized services (primarily email) will be offered this
fall, but most services will continue to use other secure
authentication technologies. These non-Kerberized services will
still require separate logons (no single sign-on yet), and
passwords for them will still be transmitted across the network in
strongly encrypted form.
change that will be visible to everyone will be the move from the
use of PennNet IDs and passwords to PennKeys and passwords. Your
PennKey will be your username in the Kerberos-based PennKey
authentication system, which will replace the PennNet ID (a.k.a. PAS
ID) system on October 14. A PennKey and associated password will be
required to access both Kerberized services as they become available
and the many web-based services that now require a PennNet ID and
password, such as GRAM and BEN Reports. In addition, PennIntouch,
which currently requires a Personal Access Code for access, will
require a PennKey and password beginning October 14.
that currently don't use PennNet IDs and passwords will not be affected
by the switch to PennKeys immediately. BEN Financials, for example,
will continue to use the familiar BEN logon ID. You'll hear more
about which system will use which ID in the future, or you may consult
the table of application logon methods at www.upenn.edu/computing/pennkey/lsp/chart.html.
of Kerberized services won‰t translate into global change this
fall. Initially, Kerberized services, particularly email, will only
be offered as an option in many Schools and centers. You‰ll hear
more about these services from your Local Support Provider (LSP) as
they become available in your School or center.
The shift to
PennKey, on the other hand, will require that all faculty, staff,
and students register their PennKey and associated password online.
For uninterrupted access to online services switching from PennNet
ID to PennKey authentication, we encourage you to register between
September 30 and October 13, 2002, during the two-week PennKey
Priority Period immediately preceding the October 14 implementation
of the PennKey system.
registration procedure is straightforward, it‰s important to be
prepared before you go to the PennKey registration web site. If you
need advice or assistance, consult your LSP or College House ITA.
for a list of providers.
PennNet ID and password. You will need to enter them to
identify yourself to the PennKey registration system. If
you‰ve forgotten your password, you can reset it by swiping
your PennCard at one of the campus PennNet ID swipe stations.
For information and locations, see www.upenn.edu/computing/help/doc/passport.
current password rules and be prepared to establish a new
password. See www.upenn.edu/computing/email/pswd_guide.html
for current password guidelines. Though you may reuse your
PennNet password as your PennKey password, a new password offers
the greatest amount of security. It‰s particularly important
to set a new password if you have used your PennNet password
elsewhere, on non-Penn systems, or have shared it with anyone.
Note too that password rules have become more stringent over the
years, and some passwords that work with the PennNet ID system
may not be accepted by the PennKey system. In such cases,
individuals will be forced to create new passwords.
you want to be able to reset your PennKey password should you
forget it. Resetting a forgotten PennKey password will
require obtaining a PIN and then resetting the password online.
When you register your PennKey, youëll be presented with
different options for obtaining a PIN and will be asked to
choose whether to participate in an online
‹Challenge-ResponseŠ option, which will enable you to obtain
a PIN, online, without a wait. Otherwise you would obtain a PIN
by visiting a campus PIN administration office, or by calling
the PennKey PIN Request Line and having a PIN sent by U.S. Mail.
The Challenge-Response option will require that you answer three
personal information questions when you register your PennKey,
and later provide the correct answers online if you forget your
password. Challenge- Response would be a good choice for
frequent travelers, international students, or anyone likely to
forget their password. However, individuals who provide system
administration services for critical systems should not
participate in the Challenge-Response option.
change usage habits that may compromise your privacy. Think
of your PennKey password as analogous to the Personal
Identification Number (PIN) you use at an ATM machine. Just as
sharing your ATM PIN would give someone else access to your bank
balance, sharing your PennKey password would give them access to
grant financial information in GRAM or your GPA in Penn InTouch.
Indeed, when you share your password, you give others access to
everything your PennKey gives you access to though you are still
responsible for anything they do in your stead. If you have been
sharing passwords in order to delegate tasks such as calendar
scheduling, responding to email, or grant administration, your
LSP can advise you on alternatives. Refer also to the
information at www.upenn.edu/computing/pennkey/lsp/noshare.html.
information about PennKey and Kerberos, check the PennKey web site
Information and assistance will also be available from Local Support
Providers and through various University and School channels. And
always keep in mind that online security is a balancing act. The
University continues to implement technologies that minimize risk,
but technology will never be perfect. We are all responsible for
following best practices in crafting our passwords and keeping them
Beck, Vice President Information Systems and Computing
do all those terms mean?
about all those ID-related terms that begin with ‹PennŠ?
Here‰s what they mean.
Your University ID card showing your photo and PennCard Number.
You need your PennCard to
create a PennNet ID and password or to reset a
forgotten PennNet password at
a PennNet ID swipe station.
Number The three-part number on your PennCard. It takes the
123456 12345678 12
ID The middle 8-digit sequence of your PennCard Number. Penn IDs
NOT required in the PennKey
Your user name in the PennKey Authentication System.
Authentication System A new authentication system that will
PennNet ID, a.k.a. PAS,
authentication system on October 14, 2002.
A unique identifier that is the basis for user names in various
University systems. For
example, PennNet IDs, PennKeys, BEN Financials user
names, and usernames for many
Penn e-mail systems are based on PennNames.
[Note: Although an individual
would have the same PennName-based username for
each of these systems, the
associated passwords would be the same only if the
individual created the same
password for some or all of the systems.]
(a.k.a. PAS) ID Your user name in the PennNet Authentication
(PAS) Authentication System Penn‰s homegrown authentication
that will be replaced by the
PennKey authentication system on October 14, 2002.
ID Swipe Station Stations at various campus locations where you
bring your PennCard and use it
to create a PennNet ID and password or reset a forgotten
PennNet password. These swipe
stations will go out of service on October 14, 2002.
Locations are listed at
Almanac, Vol. 49, No. 3, September 10, 2002
September 10, 2002
Volume 49 Number 3
Major General in the U.S. Marines has been named as Penn's
House--the community service hub--has a new
the Convocation last Wednesday, the President
welcomed the new students to campus with words of wisdom.
Research Administration--is intended to streamline processes
related to sponsored research.
a new authentication system is coming to campus to improve
network security and protect privacy online.
last academic year? The Models
of Excellence program seeks nominees whose notable
achievements went above and beyond the job expectations.