Changes to University Password Policy

Wouldn’t it be great if we didn’t have to use complex passwords anymore?  Often, there is no easy way to remember those passwords!

For the past eight years, students, faculty and staff at Western Illinois University have been using passwords that conform to a University Password Policy. Password policies around the world have often mandated that we use complex passwords consisting of uppercase and lowercase letters, numbers and special characters. Additionally, passwords have forced expiration dates, which requires people to change from one complex password to another on a frequent basis.

But wait… there’s good news!  The guy who invented all of those password rules almost 15 years ago now admits that he got it all wrong!

In June 2017, the National Institute of Standards and Technologies (NIST) released new Digital Identity Guidelines that turned the idea of what we considered to be a secure password on its head. The following points in this document are noteworthy:

  • Forget about composition rules! For example, passwords shouldn’t be required to contain at least 2 special characters, or have both upper- and lower-case letters.
  • No expiration dates! Passwords should not expire unless they are forgotten or potentially compromised. If you set a good password that you like, there is no need to unnecessarily change it after 120 days!
  • Passwords should be long! The longer, the better.

In a nutshell, these new NIST guidelines recommend that we think of passwords as phrases instead of complex words.  More appropriately, think of them as passphrases. Passphrases will be longer but they will be easier for you to remember.

University Technology proposed a new Password Policy based on the NIST guidelines in the fall of 2017.  It was subsequently presented at the January 2018 IT Governance Council meeting and approved by the IT Governance Council.  University Technology is now in the process of implementing these new NIST guidelines!  

There are some technical changes that we need to do behind the scenes to make these new changes work–such as properly encrypting passwords and ensuring that commonly used or compromised passwords are not allowed–but the end result will be that passwords will be easier for you to remember but harder for hackers to crack.

Be on the lookout for more information once an implementation date has been set!