To better align with current security recommendations from the National Institute of Standards and Technology (NIST), IT Services is updating its password policy for all IT Services managed applications, systems and websites. There are two main components of this change:
- This change will eliminate password expiration. Users will no longer be required to change their passwords every 180 days.
- This change will increase the required minimum password length from 8 characters to 16 characters.
IT Services will begin implementing this policy change on Wednesday, March 8. The implementation will be fully deployed, and all end users transitioned to the policy, over one full 180-day expiration cycle. No action will be required on the start date. All current passwords will continue to work. You can simply wait until your current password reaches its expiration and you will be required to provide a new minimum 16-character password. IT Services may require you to change your password in the future if it has been detected as compromised.
Password guidance
Having trouble building your next password? Here are some helpful tips.
Make sure your passwords are long and complex
The more characters your password contains the better. Don’t just stop at the bare minimum. Marquette systems support up to 40 characters in your password.
Passphrases are typically a better choice than passwords. In addition to being long and complex, they are more memorable and easier to type than complex 8-character passwords.
| Action | Password | Strength relative to a basic password (ltSl2hs!) |
| Pick something meaningful | Itshelpsstudents | Same (roughly) |
| Increase the length | itslovestohelpstudents | Good |
| Add capitals for complexity | ITSlovestohelpstudents | Good |
| Swap in a number for additional complexity | ITSloves2helpstudents | Better |
| Add punctuation for even more complexity | ITSloves2helpstudents! | Better |
| Add spaces for normal sentence structure and natural typing | ITS loves 2 help students! | Best |
Make Your Password Hard to Guess
Hackers use content from social websites, compromised password lists, movie scripts, songs, etc., so avoid nicknames, pet names, birthdays, anniversaries, and other things that can be found about you on social websites. Avoid famous quotations and predictable keyboard sequences.
Don’t just add numbers or substitute special characters for letters – attackers have password guessing that check for these combinations.
Make Your Password Unique
Do not re-use your passwords on different sites. Attackers will reference hacked password lists to access your email, social media, bank, and Marquette accounts. Your Marquette password should only be used for Marquette University systems.
Use a password manager. If you are having trouble remembering your unique passwords, IT Services recommends using a password manager to store and secure your passwords. Most major browsers now have password managers, and several commercial sites offer password management services.
If you have questions about the changes to our password policy, or if you want to report suspicious activities to IT, contact security@marquette.edu.
