Changes have been made to Carleton’s password policy requiring all staff and faculty to change their passwords every 120 days.
Please Reset Your Password Before it Expires
In December, all professional services staff and faculty were required to change their passwords for security purposes. These passwords will expire 120 days from the date changed (early April for many people).
You will receive an automated password expiry notification approximately one week in advance of the expiry date. Information Technology Services (ITS) is encouraging staff and faculty to change their passwords prior to this, at their convenience.
Why the Changes in Policy?
In 2010 Carleton implemented an identity and access management system, MyCarletonOne, to manage passwords and access to services. When the system was introduced, a mandatory password change policy for ITS, HR, Registrar’s Office, and the Finance/Business Office was implemented. The requirement was for administrative staff in those departments to change their MyCarletonOne passwords once every 120 days.
In 2015, Carleton’s Password Policy was discussed at the Senior Management Committee (SMC) at which time they expressed concern that only a few departments were required to change passwords.
The need for a stronger password policy was further validated by an attempt from an external group or individual to hack into the IT network this past November. As well, there have been several recent incidents of account information on popular websites being compromised. Hundreds of Carleton email addresses were used as the login credentials, and it is very common for passwords to be reused. This type of exposure puts Carleton’s information assets at risk.
The password policy was updated to include mandatory password changes and approved by the SMC.
Protecting Carleton’s Information Assets
Passwords are a critical part of information and network security at Carleton University. Poorly chosen passwords, if compromised, may result in unauthorized disclosure, modification or destruction of University information assets. To mitigate this risk, unique user accounts with strong, secure passwords are required at all times.
As per the Password Policy, all users are required to protect their user credentials from disclosure to unauthorized individuals and to report any suspicious behaviour or suspected compromise of their user account to ITS or their respective IT support team.