‘12 for 12’ password guidelines will be required for students

19 February 2019

Alex Dant

[email protected]

    New password requirements will be put into place for student, staff and faculty accounts on April 8. The password change will require 12 character lengths and will have to change every 12 months.

    The Office of Information Technology (OIT) will require students to follow these guidelines which were intended only for staff and faculty.

    According to Greg Williams, the director of OIT Operations, this decision was made because of the increased need to have a more secure password to protect accounts.

    “For faculty and staff, it was time to implement the longer passwords anyway. However, 10 characters nowadays isn’t enough, in our opinion,” said Williams.

    These improvements to account security were being made for faculty and staff already; it makes sense to incorporate students into that as well according to Williams. Support exists for longer passwords to increase security instead of more complex, shorter passwords.

    “The longer the password is, the more security because of the [increased] time it takes for somebody to crack that password,” said Williams. “Even if you add one character, it increases the security exponentially.”

    Williams said that the math regarding the increased security helped make the decision to have requirements for a less complex but longer password.

    These requirements are the latest in another change to how password security is typically conducted. According to the InfoSec Institute, the trend of creating a more complex password, which favors a shorter password with a mixture of special characters and punctuation, is slowly going away. The article explains that if the password is complex but short, it is still possible for a hacker to force their way into an account by using a password cracking tool.

    A graphics card, which is a printed circuit board that controls the output to a display screen, can potentially crack a short eight-character password in around five to 10 minutes. These cards can process a large amount of data inputs at once, meaning it can be used to crack a shorter password in a shorter amount of time.

    Even though it has been shown that lengthier passwords are more essential for creating better security, when students create a new password on April 8, it is recommended by the InfoSec Institute that they consider using special characters and capitalization in order to add complexity to length.

    Williams also recommends, according to a Communique article, that students should consider the new password to be something like a “passphrase” with multiple words, or even a sentence. This potentially insures that the password is easier to remember, but not easily guessed.

    One of the secondary concerns is that the password used for UCCS accounts should be different from password used for other, less secure accounts.

    “If a hacker steals a password used for one account on a different website, they could potentially use that same password for plenty of other accounts that the student uses,” said Williams.  

    This could only work if the student uses one password for multiple accounts which, according to Williams, is a trend discovered and discussed in a research publication published a few years ago. If the password for a UCCS account is different, then students are able to protect grades, records and other important information accessed within a student account.

    These changes go into effect in less than two months, so students are encouraged to think about their next password change early in order to insure that it is secure.