Password changes to be required every 120 days
April 15, 2008
Last week, students were informed by e-mail they needed to change their password and it had to meet certain criteria.
There was a valid reason for these changes. According to Al Appenzeller, director of information services, everyone on Simpson College’s network, not just students, were required to change their passwords due to security reasons.
“Passwords should be changed on a regular basis to foil hackers who attempt to gain access to our network through an individual’s account,” Appenzeller said. “By changing your password on a regular basis, even if a hacker has cracked your password, they now are locked out and have to start all over.”
According to Appenzeller, users should change their passwords at least every 120 days. The requirements to change a password that often is typical of many highly-qualified networks.
“Requiring regular password changes discourages users from using the same password for multiple accounts,” Appenzeller said. “If you use the same password on multiple accounts once a hacker has your password they now have access to your Simpson account, your bank account, your credit card account, your student loan account, etc.”
Many students did not want to change their passwords and memorize a new one as they did not understand the purpose. The question was raised by several students as to why they needed to do this.
Freshmen Katelyn Teachout was one of those students who did not understand the purpose of changing her password.
“I did not want to change my password, due to my short term memory,” Teachout said. “My old password was just as good as my new one.”
According to Chuck Johnson, academic software specialist, changing one’s password is not nearly as difficult as people try to make it out as.
“Creating a complex password that is easily remembered isn’t as hard as some people think,” Johnson said. “There are several tricks that can be used. Birthdays, family member’s names, dates and numbers can be mixed to come up with an easily remembered password.”
One of the things several students were frustrated about was all of the qualifications they needed to have for their new passwords.
According to Kurt Gocken, PC and network adviser, there were several qualifications for the new passwords.
“It must be a minimum of six characters and a maximum of nine characters,” Gocken said. “It must be basically alpha-numeric–numbers, letters, and punctuations. It needs to be mixed case, at least one upper and one lower case letter. The key one is it can’t be similar to your name or an old password.”
According to Gocken, the reason that those are the qualifications goes back to the security purpose. If programs want to give you a virus, it is far more difficult to crack the code if a password follows those qualities.
“When what’s called a ‘group force program’ on a computer, tries to figure out a password, it runs through first a dictionary of words trying to guess the password, then it will run each letter,” Gocken said. “You need every combination including these complex requirements so it makes it much more difficult for a program to be able to get your password or a virus or something.”
According to Johnson, the other reason these qualifications are necessary is because that is what the network requires.
“Some guidelines passed down from the government and corporations that we have relationships with require password changes every so often,” Johnson said. “One act from the federal government recommends changing passwords every 60 days. It has been over a year ago that we required a password change. Setting password complexity criteria will make passwords not as easily guessable. If you were to just use a word that can be found in a dictionary, that password could be compromised quickly. With a more complex password, the password won’t be as easily broken.”
According to Appenzeller, students did not have too many difficulties changing their passwords, except for in a few rare cases.
“The majority of our users have been able to set their own passwords without encountering any problems,” Appenzeller said. “Most of the [students] that have had problems read the portal wrong and did not do the right requirements. We are trying to add a link to show up when students go to change their password so they can see the qualifications for their passwords.”
One of the students who had difficulties changing her password was freshmen Alicia Carlo. Carlo ran into many obstacles while changing her password and became aggravated.
“It was annoying, I had to call information services to get it figured out,” Carlo said. “I changed it and it wouldn’t let me get back in the next morning.”
According to Johnson, though some students are frustrated about having to change their passwords it is not uncommon to do so, and it is for the benefit of the students.
“Even though it is a pain to some folks, it was time to change passwords,” Johnson said. “From here on out, password changes will be forced by the system every 120 days [3 times per year].”
According to Gocken, if students did not change their passwords by the deadline, they will be denied access to essential programs.
“If students don’t change their passwords by Thursday and their passwords are older than 120 days, they won’t be able to log into clean access or their e-mail, lab computer or the portal,” Gocken said.
If a student finds that they are experiencing any of these difficulties they should contact information services and change their passwords immediately.