Quinnipiac introduced a new policy Feb. 1, requiring students to change their MyQ password every 180 days to keep up with university audit requirements.
After three years of drafting, Information Security Officer Brian Kelly completed the “Password Policy.” The policy was passed by the Quinnipiac President’s Cabinet and Faculty Senate on July 1, 2009. Two and a half years later, the policy was implemented.
The network hosts 8,000 users and about 20,000 devices in total with approximately three computers, cell phones or tablets per person, according to Kelly. With the student body continuing to grow, Kelly, who has been at the university since 2006, saw the necessity of instituting a way to protect campus accounts.
“I was new to QU and so was having a password policy,” Kelly said. “It took time to make sure the policy went through the proper approval process. We should’ve been changing passwords to begin with.”
In the first few weeks of the semester, groups of students were randomly chosen to have a time limit placed on their accounts to change their passwords, Kelly said. If the students did not update their password within 14 days, their account would be locked. To get back in, they must create a new one. Once they change their passwords, they have a 180-day grace period before having to repeat the same steps.
“I think it’s just another thing for students to complain about,” freshman Aleczander Farquharson said. “It’s not really a big deal, but it’s the combination of all the little things that really affects the students and gets on their nerves.”
One benefit of this change is a smaller time window in which a user’s account can get hacked, keeping in mind the user recently changed his or her password due to the new policy, Kelly said.
“I don’t see a huge problem with it,” sophomore Jordan Paolucci said. “I mean, it’s annoying to change the password every six months, but I’ll probably end up just switching between two passwords the whole time. At least we know our email security is on par.”
The “Password Policy” has been on Kelly’s “hot list” for over a year. New passwords must contain upper and lower case letters as well as a numeral. Students also have the option of adding a special character. Another safety feature is that the passwords will expire, ensuring that users will change and protect their account credentials every 180 days.
“It is honestly an annoying process, but I understand in the end the policy is in place for the students and faculty’s well-being,” junior Alexandra Kidman said.
Another benefit of this new policy will be less exposure to phishing, links from alias email addresses that take the form of popular ones, such as university emails and Amazon.com. These attacks prompt the email recipients to click the link in hopes of getting access to their private accounts.
Phishing is one of Kelly’s main concerns. Kelly said that when it comes to the Quinnipiac community, students are not apprehensive about clicking links. This “reinforces what I was worried about, folks aren’t reading,” Kelly said. “They’re just clicking that link and that’s what the bad guys rely on.”
Kelly expects all students will have to change their passwords by the end of the month.