As was mentioned in the last Information Security Awareness newsletter, we are implementing new password requirements for SUU accounts. The new requirements will be rolled out starting today, March 4th, through the Change Password portal app. This will be a gradual roll out as people’s existing passwords expire. There’s no need for everyone to go and change their password immediately. You can simply wait until your password would normally expire, and then when you select a new password, the new requirements will be applied.

The basics

  • As passwords expire, users must follow stricter password requirements
  • Longer passwords are more secure, resulting in a longer time between expirations
  • We expire passwords regularly because we’re protecting OTHER people’s data
  • Don’t use single words, repeating characters (wwwwwwwwwww), keyboard sequences (asdflkjh), or common phrases as your password

What are the new requirements?

  • Minimum password length: 10 characters
  • 10-15 character passwords: Expires in 6 months; 3 variants.
  • 16-19 character passwords: Expires in 1 year; 2 variants.
  • 20+ character passwords: Expires in 1.5 years, no variant requirements.

A variant is the type of character, which is either upper case, lower case, a number, or a symbol. Sometimes these are referred to as complexity types. Often a “complex” password requires at least 1 character in each of the 4 types. For us, the longer the password, the less “complex” it needs to be. What’s the best way of choosing a password?

Pick 3 or more random words and put them together. The key word is “random.” The words you choose shouldn’t have any previous relationship to one another. So titles of books, quotes, locations, or lyrics from songs aren’t good choices. Additionally, you should avoid using personal information such as the names of family members.

For example:

  • cat-pizza-volleyball

That’s a 20-character password and you get to keep it for 1 1/2 years! But make sure you choose your own password. That’s just an example.

Why longer passwords?

The answer is simply that the world we find ourselves in right now, as it relates to privacy and data theft, is very different than it was even a few years ago. The tactics used by the criminal element are ever evolving and becoming very sophisticated. Additionally, computer processing capabilities continue to increase at an incredible rate. Did you know the 8 character minimum password actually has its roots back in the 1980s? The US Government did some calculations based on processing speeds at the time, and determined an 8-character password was sufficiently resistant to password-cracking attacks for sensitive systems. Many organizations thought if it’s good enough for the government, then it’s good enough for us too, and thus adopted the same requirement. That was a great recommendation for the time, but here we are some 35 years later still using the same minimum requirement. It’s time for a change.

Why do we have to regularly change our passwords?

The IT Department has been asked on occasion why we make everyone change their password every 6 months, when our bank or other service provider doesn’t require a regular change. The answer to that question comes down to whose information is being protected behind that password. For your personal accounts (banks, credit cards, email, etc), it’s entirely your choice on how strongly you want to protect the information, because it’s YOUR information. However, when it comes to protecting University information, it’s no longer your personal information, but it’s OTHER people’s information.

Just because you don’t have to change your bank account password regularly, doesn’t mean that the bank employees aren’t changing theirs often.

We do realize that forcing password changes every 6 months can actually lead to weaker passwords, as people choose shorter passwords in order to remember them, and then just maybe increment a number at the end when they have to choose a new password. To help address this concern, the stronger your password, the longer you get to keep it. The IT Department always welcomes any feedback. If any of you have questions or concerns, just let us know. Thanks for helping us protect the information that has been entrusted to all of us.