The Board of Trustees’ auditor requirement to implement a regular password change process predates my arrival at YSU in May of 2012. (Changing your password on a regular basis remains the most fundamental means of maintaining network security.)
The University Policy 3356-4-09 – Acceptable Use of University Technology Resources (AUP) mandates the regular changing of passwords. Further, the AUP authorizes the Information Technology Security Manual* the authority to further detail the mandated password change requirements.
Almost all staff, faculty & students in public universities across the nation change their passwords on a regular basis. In most cases, more frequently that twice a year. Akron, for example is moving from twice a year to four times per year. (Our auditors wanted us to implement mandatory password changes 3 times a year.) YSU’s ITAC committee recommended changing passwords twice a year. This recommendation was accepted and authorized by the university administration in FY-14.
YSU is among the last, if not the last public university in the state of Ohio to require regular password changes.
The rules set forth at YSU are fairly standard best practices and minimal. It could be much much worse. A couple of universities are moving to phase-phrases of 45 or more characters. Others are considering sending a text message with a code to your smart phone to allow you to log in.
Such password changes requirements are rooted in the Graham-Leach-Bliley Act of 1999 and several other security focused legislative initiatives since 9/11.
