The Password Security Improvement Project
The Password Security Improvement Project
Last update: 25 Aug., 2008 (djw)
Two changes are planned:
- Stronger passwords (implemented for all password changes on May
19, 2007)
- Periodic password changes (required by Dec. 31, 2008?)
FAQ
Why am I required to make up a
stronger password? Why am I required to change my password
periodically?
It is best practice as employed by a large number (if not the majority)
of colleges and universities. [more...]
When and how often? How will I
know it's time to change my password?
Can I change my password ahead of the
deadline date?
Does everyone have the same deadline?
What is a good password?
Can I use a password similar to one I've used before?
Does the requirement apply to people who've updated to stronger
passwords since May 19, 2007?
What if I've forgotten my password?
What services are affected?
- UVM Email (but not forwarding?)
- Cat's PAWS
- PeopleSoft
- Computer labs, including the library
- Files stored on zoo.uvm.edu and on Campus File Services (Active
Directory CAMPUS domain)
- Login to your computer if it's "joined" to the CAMPUS domain
- Blackboard
- Jabber, UVM's chat (IM) service
- Web publishing (but pages already published will continue to be
served)
- Submitting help requests with the Footprints system
- FAMIS, R25, webXtender, Hyperion, Info.Ed, other admin systems?
- Oracle Calendar
- Network Registration (current registrations continue to be valid
until their usual expiration dates)?
- UVM software download
- Areas of the UVM web site protected by Network ID and password
- VPN for off-campus access and Cat's PAWS wireless
- UVM Portal
- Banner Student Information System as of ______________)
- more?
What services are not affected?
- Admissions portal
- Banner student information system
- Paying your bill?
- CatCard?
What if I miss the deadline?
Publicity and Education Plan
- Email that doesn't look like phishing (same challenge as the
NetReg email)
- What-and-why web page? Or put all info on the password
change page(s) themselves?
- Timing of the message(s)
- September, October 1, November 1, December 1, several more
times in December?
- Target just the accounts with passwords that have not been
changed (don't spam those who have done it)
- Add a “To Do: Change your password before December 31” item to
webmail.uvm.edu (and where else? PeopleSoft login page? MyUVM
Portal?)
- Workshops?
- IT Newsletter
- ETS web news item
- Notices on popular web pages, like:
- Establish an easy URL, like password.uvm.edu?
- Add “if you missed the deadline” communications to
www.uvm.edu/ets (which also
flows to webmail.uvm.edu), PeopleSoft login page, MyUVM portal, and
other appropriate communications
locations.
Policy
Need to write and get approved? Part of the AUP?
Like the AUP, does it apply to all servers unless there are specific
exception policies?
Other Schools
Google "
university+required+password+change"
LSU ITS – Help Desk – Mandatory Periodic Password Change
This is a necessary step in securing the University's information
resources and for compliance ... How will you know when a password
change is required? ...
www.lsu.edu/its/html_pages/helpdesk/news/periodic_passchange.html
Required Password Changes - Office of Information Technologies ...
University computer users will have 30 days from the receipt of the
first notification to change their NetID password. If you do not
establish a new ...
oit.nd.edu/news/2005/passwords_09_15_05.shtml
more examples easy enough to find ...
ECAR case studies of security improvements -- some include password
requirements:
Last modified August 25 2008 04:45 PM
