Questions About the University’s Password Change Policy

University IT Services is required to adhere to “good practices” in IT security.  Part of this “good practice” is to require users to have “strong” passwords (that is, passwords that are not easily guessed or broken by hacking tools).  The University’s password policy requires staff and administrators to change their passwords every 90 days and faculty and students to change their passwords every 180 days.

A recent mass mailing among a group of faculty has questioned this practice and requested more information about why the University has such a policy.  This is my response to the individuals who initiated this mass mailing:

The University’s current password policies are mandated by the Audit Committee of the University’s Board of Regents based on the recommended “good IT security practice” of the University’s external auditors.  This practice, along with the requirement to have a “strong” password, protects not only your email but other University systems, since your email ID and password provide access to a wide range of University systems, including Blackboard and Banner. These systems hold protected personally identifiable information including students’ academic and financial records. If you are having difficulty changing your password, please call the Technology Service Desk at 973-275-2222; they can assist you with your password change.

Stephen G. Landry, Ph.D., CIO