Password Policy Changes
Password Policy Changes
Trying to keep up with all of your passwords for applications and websites is difficult. That’s especially true when you have to change your password frequently. Our Information Technology (IT) Department has come up with a solution that will make frequent password changes a thing of the past. Even better, it will make our systems more secure.
Upcoming changes to the password policy will allow you to pick one unique password that has at least 15 characters that you only use for your GUC account. You’ll never have to change it unless there is a security incident or your password is found to be compromised. There will also be annual audits to compare our passwords to a list of common/prohibited password patterns (like abc12345678910 or 1985ECUPirate) and a list of compromised passwords from known security breaches.
Having to change your password every 90 days was a good idea, but unfortunately, it encourages people to use simple passwords like the two examples above; passwords that are easy to figure out in a short period of time. A longer, unique password, even if it’s not complex, is more secure and harder for hackers to figure out.
“As recently as 2011, an eight-character password could take a month or more to crack,” said Tony Godwin, IT Infrastructure Manager. “Today, any eight-character password, no matter how complex, could be cracked in just a few hours. This makes short passwords very risky, especially if they’ve been used in other places that might have been compromised.”
Changing passwords regularly encourages you to use the same password in multiple apps and websites. So once a hacker gets your password in one place, like an online store database breach, they can try using it in other places, like in GUC’s system. Having to constantly come up with new passwords also encourages saving those passwords in spreadsheets or documents or even on sticky notes. That’s not secure at all and is not allowed.
“Hackers are constantly gathering up compromised passwords and using them in automated attacks against internet-connected devices,” said James Hoover, Systems Analyst II. “It’s an incredibly easy, low effort, and scalable way to get that initial foothold into a network or device. Updating our approach to passwords and rolling out multifactor authentication (MFA) goes a long way to mitigate this risk and helps our IT systems function safely and reliably.” (Read about MFA here.)
For administrators of our more sensitive systems (such as SCADA or the ID badge system), there will be a need for a 20-character password that must be randomly generated and also not used on any other system or site.
Our systems are critical to us for the safe operation of our utilities. And some of the information we hold is also critical to our customers. We have account information, social security numbers, and other sensitive data. We need to keep their information safe as well. Be on the lookout for more information from IT on the new password policy, which is scheduled to coincide with the multi-factor authentication (MFA) rollout.