|
|
|
Was this chosen arbitrarily?
No. These recommendations were published by the National Institute of Standards and Technology (NIST) in August 2017. As types of attacks, threats, and technology change, different ways to respond emerge. NIST has changed password recommendations through the years in response to these threat changes.
Will this make us less secure?
No. This will make us more secure. By checking passwords against a list of hashes of passwords that have known to have been compromised in breaches, we will have more of a guarantee that people are using secure passwords.
Why do I have to change my password?
The older a password is the more likelihood it has of being stolen or involved in a breach. Passwords are usually hashed before they are stored. Given enough time a password can be guessed by comparing the guess' hash against the stored hash.
What is a hash / hashing?
A hash is a one-way mathematical function designed to be impossible in practice to find the original number. Passwords are almost always converted to numbers and hashed before they are stored. If you would like to read more, technical details are at https://en.wikipedia.org/wiki/Cryptographic_hash_function.
What do I need to do?
Test your password, try different passwords, including what password you might choose the next time you are required to change your password.
How do I test my passwords?
Use our password checker at https://password-checker.bradley.edu/.
How does the password checker work?
It hashes your password and checks it against a list of hashes of passwords that have known to have been compromised in breaches (e.g. LinkedIn, Yahoo!, etc.).
Do you save passwords or hashes entered in the password checker?
No.
How do I choose a good (secure) password?
The new recommended method is to use passphrases. We adopted the recommendations from the National Institute of Standards and Technology's (NIST) password guidance from August 2017. This is now in our policy located at https://www.bradley.edu/sites/it/about/policies/data/60102.dot.
"...Use a phrase with multiple words that you can picture in your head. graceful elephant dance2 purple cabbage rabbit So it's difficult to guess but easy to remember. Give each account a unique passphrase. A password manager can help."
Will you keep the list of known compromised passwords up to date?
Yes. The list was first published in August 2017 shortly after NIST published their recommendations. It has received a few updates, which we have kept current. This means that your password might pass the check now, but not pass the next time it is tried.
Who does this effect?
All faculty, staff, and students. The 365 day password expiration interval will not apply to anyone who falls under a more restrictive requirement (e.g. Payment Card Industry Data Security Standards). All staff who work with credit cards will still need to change their password every 90 days.
Who can I contact if I have problems?
The IT Service Desk can be contacted at (309) 677-2964.
January 20, 2019