Image of a password poster

Emory University implements new password policy; all passwords must be changed before Sept. 9

Image of a password poster
The password change poster you will soon see around campus.

Change is good. Especially when it comes to your Emory password.

Emory University is implementing a new password policy for everyone who has an active Emory University NetID and an email address ending in emory.edu. This new policy includes a requirement that all passwords must be changed at least every 365 days.

By Sept 9, 2015, those who must change their passwords include all returning students, faculty, staff, administration, alumni, retirees, and anyone who has a registered Emory University NetID to access Emory email, library resources, PeopleSoft applications, Blackboard, and other IT resources, unless they have changed them within the last year. If you can’t remember the last time you changed your password, it’s time to change it.

Emory Healthcare will implement a similar password change policy in the near future; those with emoryhealthcare.org accounts are asked to watch for email communications about its upcoming policy with instructions on the required password change. Those with dual accounts should change their University passwords now and their Healthcare passwords when advised to do so.

See: How do I change my Emory University NetID Password?

Incoming students who are receiving an Emory NetID for the first time will not have to change their passwords for a year.

Important reasons to update your password

The university is upgrading its password change policy to protect the Emory community.

“Sometimes, the reason why we’re requiring these password changes gets lost,” says Marc Overcash, interim enterprise chief information officer and senior vice provost for library services and digital scholarship at Emory. “We all need to do this to protect our information resources – our research, student information, intellectual property – and the first baseline defense around that is a strong password.”

“In addition, we need to meet the security requirements set by private and federal agencies, like the Department of Health and Human Services, so that we can assure these agencies that we have the appropriate level of controls in place to protect the research and discovery work that they sponsor,” he adds.

“And we need to protect the Emory community itself. Emory systems may contain sensitive personal or financial information about each of us, as an example. We want that information protected, and one key tactic to do that is to ensure everyone’s password is strong and changed frequently.”

Stay connected. Change your password today.

Prior to Sept. 9, members of the Emory University community can change their own passwords one of three ways: by following the steps on the Emory University password change page; by requesting help from their local IT support staff; or by calling the university IT support line at 404-727-7777 and asking a technician to step them through the process.

Password change icon
The official Emory password change logo.

On Sept. 9, those who have not changed their passwords within the last year will not be able to log in using their Emory credentials and will be unable to access most Emory IT resources (such as email, EmoryUnplugged, Blackboard, OPUS, PeopleSoft, etc.). They will need to work with local IT support or the central IT Service Desk to regain access.

Brad Sanford, Emory University chief information security officer, says the IT department wants to encourage individuals to change their passwords now and not wait until the deadline has expired.

“No one wants to get locked out of their laptop or be unable to access the network right at the moment they need it and have to wait in a long line to get help resetting their password,” Sanford says.

People often delay changing their passwords because they’re wary of being locked out while they’re making the change, Sanford says. This problem usually happens when users have configured an application to remember their password so that the application can automatically log them in on a device – for example, their email application on a tablet or smartphone.

Once every 365 days

Going forward, all those with an active Emory NetID will need to change their passwords every 365 days (more often for certain security or confidentiality-sensitive groups). The Emory IT system will send automated emails to those whose password is about to expire 28 days, 14 days, then every day the week before the password’s expiration date.

Having everyone in an organization complete a password change on a regular basis is considered a baseline security practice, Sanford says: “It ensures that a potentially compromised password has a shorter lifespan.”

In addition, it helps discourage password sharing, which is a violation of Emory University policy. “You’d have to reshare the new password, which makes you think about whether you want to share that information again,” Sanford says.

To protect your information and that of the Emory community, Sanford says the best advice is to “pick a good password and never share it. Probably more important than changing your password on a regular basis is choosing a good password – and not simply adding numbers to the end of it – and then never sharing it.”


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *