The front desk of the Information Technology department on the third floor of the Holcomb building. Photo by Jessica Lee.
SORELL GROW | STAFF REPORTER | firstname.lastname@example.org
The Butler University Information Technology department removed the requirement for all Butler student and faculty accounts to change their passwords every 180 days.
The policy is commonly practiced and believed to be effective at institutions and organizations around the United States. The requirement would help the security of Butler accounts.
IT changed the policy due to a recent publication on password management from the National Institute of Standards and Technology. The report stated changing a password often does not necessarily improve information security.
Information systems analyst Zach Skidmore of Butler’s IT department was involved with the policy change. Skidmore has been working at Butler for more than 14 years.
“There’s always been a lot of pain and strife around password expiration,” Skidmore said.
Butler is among many other institutions, including the United States government, that use NIST as a guide for information technology and data security.
“If the government’s okay with this, then it is certainly something to consider for our own organization,” Skidmore said.
Despite NIST’s publication, not everyone is in favor of the Butler IT policy change. Mason Rinks, sophomore management information systems and accounting major, does not agree with the change.
“Taking a week to learn a new password is worth not having a lifetime of someone impersonating you online,” Rinks said. “Every half a year, having to change your password is not too big of a hassle.”
Leo Martin, sophomore computer science and finance double major, opposes Rink’s opinion about the password policy.
“I looked into that [NIST] report and frankly the results are not surprising,” Martin said. “If a skilled hacker truly wants access to your account, they will find a way to get your password one way or another. The last time you changed it is pretty irrelevant to them.”
According to NIST’s publication, there is no real benefit or improvement in account security when passwords are changed every certain period of time.
“Based on a password strength test I ran, it would take about 5 million years to correctly guess a password created using the minimum standards Butler IT requires,” Martin said.
More and more cybersecurity breaches, like the recent Equifax breach, steal large batches of information and passwords all at once, Martin said.
Hackers try to use software to check every possible password combination or, “brute force,” their way into an account. If this were to happen at Butler, IT would notice and lock the accounts immediately.
The majority of the institutions that follow NIST’s guidelines saw no real benefits with the 180-day password policy.
Rinks was aware of NIST’s change in guidelines, but said he still thinks the password policy should stay the same.
“If you’re lowering your security standards, you’re probably going to have a negative impact,” Rinks said.
The 180-day password expiration has been in place since before Skidmoore began as a first-year student at Butler more than 14 years ago.
During that time, Butler accounts have been compromised and hacked on occasion.
“It’s sort of a natural order of things when you have an organization with this many users,” Skidmore said. “At any given point in time there’s always that possibility and it’s something that every organization, including Butler, has had to manage.”
Although it is too early to tell if the removal of password expiration has been effective in maintaining the security of Butler’s student and faculty accounts, Skidmore said IT has been seeing better user experience and improvements in operational costs.
The majority of problems brought to the IT Help Desk are password-related. Now that users can keep the same password for as long as they would like, a burden has been lifted from IT staff members’ shoulders, Skidmore said.
“The new system will be a big hit with students I am sure,” Martin said. “The password requirements are very specific, so memorizing only one password for your entire time as a student will be much appreciated.”
The IT department plans to keep monitoring the new change to determine the effectiveness in maintaining the security of student and faculty information.