New annual password change requirement for faculty and staff
As part of ongoing efforts to improve data security, Ohio University has established a new annual password change requirement for employees. Password expirations will be phased in gradually over the next several months. To minimize the impact of this change, faculty will not be required to change outdated passwords during high demand times like the start and end of a semester.
What to expect
You will receive a full month's notice before you need to change an outdated password. Thirty days before your password expires, the University's login page will start reminding you that you need to change your password. At the end of the 30-day notification period, you will be required to change your password.
OIT will not publish a detailed schedule for password expirations because cyber attackers could use that schedule to trick employees into giving their passwords away. For example, if a scammer knows that someone's password is going to expire during a specific week or month, he or she could include that date in a phishing email to make the scam sound more convincing.
No email notices
You will not receive any email notices about this change. In fact, OIT will never use email to communicate with you about a password or account issue, because doing so would give legitimacy to many common email scams. If you receive a message that asks you to click a link or button to change or update your password, that message is a scam and should be forwarded to security@ohio.edu.
Reason for the change
This approach aligns with current information security best practices and reflects the added risk that a compromised faculty or staff account presents to the University. According to University Credentials Policy 91.004, “the level of rigor and complexity requirements that are applied to ensuring the security of the credentials will be in line with the risk which a compromise of that account would present to the university or its community.”
Because faculty and staff often have access to protected information like FERPA or HIPAA data, we must take appropriate steps to protect that data. This includes regular password changes. If you have any questions, please contact the IT Service Desk.