Iowa State University

ITInformation Technology

Changes to Password Complexity Rules

This news item expired January 25, 2008. It may contain out-of-date information.
In 2004, in response to recommendations for Iowa State from the Auditor of the State of Iowa to the Board of Regents, changes were made to password complexity rules regarding acceptable lengths, mixture of character classes, and expiration policies. Since then technology advances have continued to drive changes in best practice in the area of security. Current thinking is that short passwords are no longer secure enough to protect access to university-managed systems.

Password complexity rules have been reviewed and some changes have been identified as feasible given today's environment. The changes are to require all new Net-ID and AccessPlus passwords to be at least eight characters long.

Accordingly, changes will be made on Tuesday, November 13, which will enforce a minimum eight-character limit whenever a Net-ID password is created or updated.

A similar change will be put into place for AccessPlus when system modifications supporting this update are completed. A date for this change has not yet been set. Since the AccessPlus password is usually the same as that used for ADIN/Passport, this update will affect those systems when it is implemented.

Note that these changes will not require anyone to change their password, but will enforce the new rules the next time a password update takes place.

To see how to reset passwords, see http://www.it.iastate.edu/faq/view.php?id=320.