What to know about the password change policy
In many cases, a password is the only thing that prevents someone else from accessing your private information or impersonating you online. Here are a few things to know about Emory University’s password change requirement.
Password requirements
• Passwords must be changed at least once a year (more often if necessary).
• Passwords must be between nine and 30 characters in length.
• Passwords must contain at least two alphabetic characters (A-Z, a-z) and at least two non-alphabetic characters (spaces, numbers, punctuation, and/or special characters).
• Your NetID cannot be part of the password; no more than two consecutive characters can be identical; and the password cannot match any of the previous 24 passwords used with the account.
• Never use your Emory NetID and password for non-Emory sites.
• Never give your password to anyone, not even someone claiming to be an Emory IT staff member – not even if they ask. (Emory IT will never ask for your password.)
Tips to make your password change easier
• Gather all your devices together – laptops, smartphones, iPads or other tablets – at your desktop, and close all applications.
• Put your mobile devices in airplane mode or its equivalent. Your devices are constantly checking your login status and password, and this step will stop it from using your old password, which causes a login failure and lockout once you change to a new password.
• Delete web cookies – small files that store information such as your login name and password whenever you visit Internet sites – from the browsers on your computer and devices if you’ve enabled the function to save them.
Once you successfully complete the steps to change your Emory password (allow 15-30 minutes for the new password to become active across all network applications), remember to update your password in any places where you have saved it, including WiFi access to Emory Unplugged on your laptop and mobile devices.
Change is good. Especially when it comes to your Emory password.
Emory University is implementing a new password policy for everyone who has an active Emory University NetID and an email address ending in emory.edu. This new policy includes a requirement that all passwords must be changed at least every 365 days.
Those who must change their passwords by Sept. 9 include all returning students, faculty, staff, administration, alumni, retirees and anyone who has a registered Emory University NetID to access Emory email, library resources, PeopleSoft applications, Blackboard and other IT resources, unless they have changed them within the last year. If you can’t remember the last time you changed your password, it’s time to change it.
Emory Healthcare will implement a similar password change policy in the near future; those with emoryhealthcare.org accounts are asked to watch for email communications about its upcoming policy with instructions on the required password change. Those with dual accounts should change their University passwords now and their Healthcare passwords when advised to do so.
See: How do I change my Emory University NetID Password?
Incoming students who are receiving an Emory NetID for the first time will not have to change their passwords for a year.
Important reasons to update your password
The university is upgrading its password change policy to protect the Emory community.
“Sometimes, the reason why we’re requiring these password changes gets lost,” says Marc Overcash, interim enterprise chief information officer and senior vice provost for library services and digital scholarship at Emory. “We all need to do this to protect our information resources – our research, student information, intellectual property – and the first baseline defense around that is a strong password.”
“In addition, we need to meet the security requirements set by private and federal agencies, like the Department of Health and Human Services, so that we can assure these agencies that we have the appropriate level of controls in place to protect the research and discovery work that they sponsor,” he adds.
“And we need to protect the Emory community itself. Emory systems may contain sensitive personal or financial information about each of us, as an example. We want that information protected, and one key tactic to do that is to ensure everyone’s password is strong and changed frequently.”
Change passwords by Sept. 9 to stay connected
Prior to Sept. 9, members of the Emory University community can change their own passwords one of three ways: by following the steps on the Emory University password change page; by requesting help from their local IT support staff; or by calling the university IT support line at 404-727-7777 and asking a technician to help them through the process.
On Sept. 9, those who have not changed their passwords within the last year will not be able to log in using their Emory credentials and will be unable to access most Emory IT resources (such as email, EmoryUnplugged, Blackboard, OPUS, PeopleSoft, etc.). They will need to work with local IT support or the central IT Service Desk to regain access.
Brad Sanford, Emory University chief information security officer, says the IT department wants to encourage individuals to change their passwords now and not wait until the deadline has expired.
“No one wants to get locked out of their laptop or be unable to access the network right at the moment they need it and have to wait in a long line to get help resetting their password,” Sanford says.
People often delay changing their passwords because they’re wary of being locked out while they’re making the change, Sanford says. This problem usually happens when users have configured an application to remember their password so that the application can automatically log them in on a device – for example, their email application on a tablet or smartphone.
Once every 365 days
Going forward, all those with an active Emory NetID will need to change their passwords every 365 days (more often for certain security or confidentiality-sensitive groups). The Emory IT system will send automated emails to those whose password is about to expire 28 days, 14 days, then every day the week before the password’s expiration date.
Having everyone in an organization complete a password change on a regular basis is considered a baseline security practice, Sanford says: “It ensures that a potentially compromised password has a shorter lifespan.”
In addition, it helps discourage password sharing, which is a violation of Emory University policy. “You’d have to re-share the new password, which makes you think about whether you want to share that information again,” Sanford says.
To protect your information and that of the Emory community, Sanford says the best advice is to “pick a good password and never share it. Probably more important than changing your password on a regular basis is choosing a good password – and not simply adding numbers to the end of it – and then never sharing it.”
