UITS

This fall, we are bringing you a major refresh of our website. Visit the beta now:

Try the beta
 
 
Indiana University

Completed project: Mandatory passphrase expiration

Primary UITS contact: Jacob Farmer and Scott Wilson

Completed: January 1, 2013

Overview

Indiana University will require individuals to maintain passphrases that are less than two years old. Starting in August 2012, the Central Authentication Service (CAS) will feature a note reminding users of pending passphrase expiration. In fall 2012, UITS will begin phasing in passphrase expiration, starting with the oldest. Passphrases not changed by the deadline will be considered expired.

Outcome

Passphrase expiration began in early fall 2012, and ran through the end of the fall 2012 semester. From this point forward, all passphrases older than two years must be changed.

Once a passphrase has expired, users will be unable to access sites that rely on CAS (e.g., OneStart, Oncourse, and PeopleSoft) until their passphrase is changed.

Note: At this time, the passphrase expiration is enforced by CAS only. Network IDs will be neither locked nor disabled. Users will still be able to authenticate to non-CAS services, such as workstations, email, and VPN.

For more, see Why is my IU passphrase expiring?

Frequently asked questions

  • Why do I have to change my passphrase?

    IU places the utmost importance on the safety and security of its information resources. Each individual that uses a Network ID passphrase helps to reduce the risk to that data, and eliminating insecure passwords and even old passphrases protects people against hacking and misuse of important data. See the "Benefits" section below.

  • How can I tell how old my passphrase is, or if my passphrase will expire soon?

    If your passphrase is approaching expiration, CAS (Central Authentication Service) will begin warning you several months in advance of the expiration date, indicating the number of days remaining. Changing your passphrase will reset the two-year clock.

  • Will I still receive IU email if my passphrase is expired?

    Yes.

  • The online passphrase change application requires CAS. Will I still be able to change my passphrase myself after it's expired?

    Yes.

  • What should I do if I have multiple devices on which I use my passphrase?

    You must ensure that your passphrase is updated on each device. See What precautions should I take when changing my passphrase?

  • What if I forget about a device? Will my ADS account keep locking out?

    Probably not. While you can only successfully authenticate to CAS and ADS services with your current passphrase, devices attempting to use your most recent previous passphrase will not cause your ADS account to become locked out. This applies only to your most recent previous passphrase, not all previous passphrases.

  • Is this just a one-time "clean-up" project, or is this a new permanent requirement?

    IU IT policy has always required users to safeguard information and IT resources by selecting strong passwords or passphrases and updating them regularly. Passphrase expirations will clarify that objective and ensure proper compliance. IU will continue to enforce a two-year passphrase age limit.

  • What about my group/departmental account? I use it to run services like applications or databases; will those be affected?

    No. Accounts will not be locked out, nor will they stop working. The only limitation is that the departmental username will not be able to authenticate using CAS until the passphrase is updated. This should give you plenty of time to plan updates to your services.

  • To whom may I direct specific questions about passphrases?

    The University Information Security Office will address any questions. Contact them at  passphrase@iu.edu .

Project Timeline

  • March 1, 2012: Communications effort begins.
  • Mid-March 2012: InfoShares with LSP community and enterprise applications support staff.
  • Early August 2012: CAS enhanced to feature passphrase expiration reminders.
  • October 2012: Expiration begins, starting with oldest passphrases.
  • Late December 2012: Implementation complete. CAS will continue to enforce the passphrase age limit.

Benefits

IU accounts provide access to a wealth of valuable data, much of it sensitive and protected by policy or law, that includes but is not limited to: personally identifiable information, protected health information, and personal and institutional financial data. Eliminating insecure passwords and even old passphrases protects people against hacking and misuse of important data. Other benefits include:

  • The AMS Passphrase Change system (https://passphrase.iu.edu) allows users to reset their passphrases at any time.
  • LSPs can perform passphrase resets by obtaining access to Superpass.
  • Passphrases use natural language, making them much easier to type than traditional passwords. They can be simple, short sentences of five or six words with spaces.
  • Passphrases are both more secure and easier to remember than old-style passwords.

Related information

Client impact:

As noted above, passphrase expiration helps safeguard accounts against hacking and misuse, while protecting sensitive information. Failure to change passphrases by the deadline will result in lost access to CAS-authenticated services such as OneStart, Oncourse, and PeopleSoft. This will not impact access to services that do not use CAS.

Project team

  • University Information Policy Office
  • UITS Identity Management Systems
  • IT Communications Office