Mandatory password resets will feature in a suite of account security changes by ANU in the coming years. The password reset will initially be annual, with a goal to eventually require three-monthly resets.
Password expiry will apply to “all staff, students and users of ANU systems”, according to ANU’s Associate Director of Infrastructure Services Helen Clarke. Students and staff will be required to choose a new password annually, beginning in the next year, but ANU has a “target” of requiring password resets every three months. Clarke said the University has no specific timeline for this implementation, stating it will occur “at a future point” decided by the University Identity Governance Committee. The overhaul will also see the introduction of “secret questions” for password resets.
Expiring passwords are considered poor security practice by the US National Institute of Standards and Technology – widely considered to be the leading authority on cybersecurity. Frequently changing passwords can lead, they say, to individuals choosing simpler passwords, writing passwords down, or otherwise being less secure due to increased difficulty remembering passwords. Clarke, in response, said the ANU’s decision to adopt password expiry was based on advice from the Australian Signals Directorate, which advises the Australian Government on password management and standards, and advises a three-monthly expiry period, along with requiring special characters, capitals and numbers for all passwords.