Following the implementation of Multifactor Authentication (MFA), along with recent security trends regarding password policy, Connecticut College has made a few changes to the requirements for our users:
- Passwords now have a 12-character minimum
- Passwords now only expire after a full year, extending the previous timeline by 6 months
- Character complexity is no longer enforced, but still allowed.
The 12-character minimum encourages users to create “pass phrases” that are unique to you and your way of thinking. Consider it a “secret memory.” This is in line with the change in guidelines implemented by the National Institute of Science and Technology in June of 2017. The NIST found that longer passwords are cryptographically tougher to break than shorter ones, regardless of the character complexity.
In addition, as FTC Chief Technologist Laurie Cranor points out, research heavily suggests that the more frequently users are forced to change their password, the more likely they are to make only a slight modification. This makes their patterns predictable, and leaves their account less secure in the end. We recommend creating a unique phrase that you can remember…you can even use spaces to separate words!
NOTE: To clarify the expiration further, your current password will expire 365 days from the last time you changed it. Consider the change an “extension” for each user.
Sources: https://www.wired.com/2016/03/want-safer-passwords-dont-change-often/, https://www.npr.org/sections/alltechconsidered/2017/08/14/543434808/forget-tough-passwords-new-guidelines-make-it-simple