• A-Z
• Directory
• Webmail

• UVM Home
• UVM Computing Home
• Password Project Home
• Password Security Improvement Project
  • Overview
  • Offer Comments and Ask Questions (not yet active)
  • UVM Home

The Password Security Improvement Project

Last update: 24 May, 2007 (djw)

Two changes:

• Stronger passwords
• Periodic password changes
  

FAQ

Why am I required to make up a stronger password?  Why am I required to change my password periodically?
It is best practice as employed by a large number (if not the majority) of colleges and universities. [more...]

When and how often?  How will I know it's time to change my password?

Can I change my password ahead of the deadline date?

Does everyone have the same deadline?

What is a good password?

What if I've forgotten my password?

What services are affected?

• UVM Email (but not forwarding?)
  
• Cat's PAWS
• PeopleSoft
  
• Computer labs, including the library
• Files stored on zoo.uvm.edu and on Campus File Services (Active Directory CAMPUS domain)
• Login to your computer if it's "joined" to the CAMPUS domain
  
• WebCT
• Jabber, UVM's chat (IM) service
• Web publishing (but pages already published will continue to be served)
  
• Submitting help requests with the Footprints system
• FAMIS, R25, webXtender, Hyperion, Info.Ed, other admin systems?
  
• Oracle Calendar
• Network Registration (current registrations continue to be valid until their usual expiration dates)?
  
• UVM software download
• Areas of the UVM web site protected by Network ID and password
• VPN for off-campus access (as well as Cat's PAWS wireless)
  
• more?
  

What services are not affected?

• Admissions portal
• Banner student information system
• Paying your bill?
• CatCard?
  

What if I miss the deadline?

Publicity and Education Plan

• Email that doesn't look like phishing (same challenge as the NetReg email)
• What-and-why web page?  Or put all info on the password change page(s) themselves?
  
• Timing of the message(s)
• June, mid-August, several times in September?
• Target just the accounts with passwords that have not been changed (don't spam those who have done it)
• Workshops?
  
• IT Newsletter
• ETS web news item
  
• Notices on popular web pages, like:
  
• webmail.uvm.edu
• PeopleSoft
  
• Footprints
  
• Establish an easy URL, like password.uvm.edu?

Policy

Need to write and get approved?  Part of the AUP? 

Like the AUP, does it apply to all servers unless there are specific exception policies? 

Other Schools

Google "university+required+password+change" 

LSU ITS – Help Desk – Mandatory Periodic Password Change
This is a necessary step in securing the University's information resources and for compliance ... How will you know when a password change is required? ...
www.lsu.edu/its/html_pages/helpdesk/news/periodic_passchange.html

Required Password Changes - Office of Information Technologies ...
University computer users will have 30 days from the receipt of the first notification to change their NetID password. If you do not establish a new ...
oit.nd.edu/news/2005/passwords_09_15_05.shtml

more examples easy enough to find ...

ECAR case studies of security improvements -- some include password requirements:

• Safeguarding the Tower: IT Security in Higher Education 2006   
  
• See password references in Most Improved: How Four Institutions Developed Successful IT Security Programs  
  
• McGill University: password strength & periodic changes
  

Last modified May 24 2007 09:33 AM