Starting this week, Western’s Information and Technology Services (ITS) is pushing members of the university community who have not changed their official university password in five years or more to do so as soon as possible.
“Cyber-security threats are escalating in both frequency and sophistication. Universities, in particular, are being targeted by malicious actors intent on gathering user account and password information through phishing and other malware attacks,” said Jeff Grieve, ITS Executive Director. “To limit the effectiveness of these attacks, we are asking members of the university community to change their passwords on a regular basis.”
Currently, the university has nearly 1,900 passwords that have not been changed in more than 10 years, and another 8,000 that have not been changed between 5-10 years.
“And many of those passwords do not conform to our rigorous password policy,” Grieve explained. “So they are becoming compromised at alarming rates.”
The Western Password Policy requires passwords that are difficult, but not impossible, to crack. The more complex the password, the more difficult it is to guess, Grieve said. This will normally deter any attempts to crack the password because it is too difficult or too time-consuming.
This week, Western community members should have received an email from ITS outlining the change process. To confirm this email is legitimate, check the official ITS email website, uwo.ca/its/email/account/official_account_emails_from_its.
In addition to meeting with deans and vice-presidents, seeking their help ensuring passwords get changed, ITS staff is working with technical staff in faculties and units – known as TUMS (IT Users Managers and Support Staff) – to assist staff members in changing their passwords.
“The support for this effort has been over-whelming,” Grieve said. “People appreciate the damage caused by identity theft as reported in the news.”
Starting this week, ITS and TUMS will be initiating a systematic review of user accounts with old passwords.
“We are working through a list of 10,000 users affected by this and we are addressing a certain amount each week,” said Jeff Gardiner, Central Information Security Officer. “If a user changes their password themselves, or with the help of their support staff, the list gets smaller. We’ll keep going until there are no passwords older than five years.”
An official notification will be issued from ITS to these account holders requesting them to change their password through the ITS Computer Accounts Office within a 28-day notice period. Two follow-up reminders will also be sent – the first after 14 days have passed, the second with 48 hours before ITS will need to take action.
If no action has been taken to change the password at that time, ITS will disable the user account until the individual can contact the Computer Accounts Office to process the password change.
A password change need not be daunting, Gardiner assured. Western community members should visit the Western Identity Manager website, idm.uwo.ca, to update their information.
There are a number of programs, freely available on the Internet, used to systematically guess passwords. Statistically, by using longer passwords (e.g. eight characters instead of six) and a greater variety of characters (e.g. upper- and lower-case letters, numeric values, special characters, etc.), you can extend the time it would take for computer-generated guessing attempts to crack your password from minutes to years.
“By updating your passwords, you will be doing your part to not only protect your own account and information, but also the university’s systems a whole,” Gardiner said.
* * *
The Western Password Policy, overseen by Information and Technology Services (ITS), is intended to enforce passwords which are more difficult for the hacker community to crack or decode. Although you can change the password yourself, it must adhere to a number of conditions.
- Be at least eight characters long;
- Contain at least one upper-case and one lower-case letter;
- Contain at least one number;
- Contain at least one special character (punctuation, mathematical signs, etc.);
- Not repeat a letter more than three time; and
- Contain no more than two sequential numbers in a row.
Passwords must not contain:
- Any of your five previous passwords for the account;
- A less-than symbol (<);
- A greater-than symbol (>); or
- Your first middle and/or last name.
Visit uwo.ca/its/ for details.