On Sept. 6, the office of the CIO (chief information officer) for Bradley University sent a campus-wide email stating alterations in the password change policy. This policy change allows students and employees to have less complex passwords for longer periods of time.
The email explained that, effective immediately, BU netID passwords only need to be changed once a year and will not have complex case or special character requirements. Bradley has been promoting this change among staff and students throughout the summer.
Director of information security, David Scuffham, explained this policy change. According to Scuffham, this policy change is based off new guidance on passwords from the National Institute of Standards from Aug. 2017. The new guidance directs passwords to be checked against a list of previously compromised passwords. Bradley’s information security program sought guidance from an expert and built a platform to implement the recommended changes.
“Attackers will take lists of dictionary words, guessed passwords and stolen passwords to conduct what’s called a credential stuffing attack,” Scuffham said. “This is where they try to sign in thousands, millions or billions of times trying different combinations of users with all of these different passwords. If someone has used a weak password or a password that has been compromised on another site, the attacker could then sign in as that user.”
Not only should this password policy change positively affect the safety level of students and employees, but should also prove to be easier for users.
“[The new passwords] are easier to remember because they do not need to be as complex, and they last longer between expirations. They are more secure, because weak and simple passwords that have been compromised previously are not allowed to be used,” Scuffham said. “It’s a way to guarantee that people are using better passwords. Everybody wins.”
The email sent from the office of the CIO suggests users try a “password phrase” to help remember the password. Their supplied FAQ page also offers answers questions and a “password checker” link allows students to test their passwords.
“The main complaints we received from students and employees regarding passwords were that they had to change passwords too frequently or that the complexity of requiring numbers, capitals and special characters was too difficult,” said Scuffham.
While some confusion typically comes with technology changes, the office of the CIO is hopeful that this transition will be smooth.
“So far, feedback has been positive,” Scuffham said.




