Every week, between 3 and 20 username/password pairs are found to be compromised on ISU's campus. Phishing messages and credential reuse are frequently to blame. Once ISU implements two-factor authentication, this problem should almost entirely disappear. However, two-factor authentication is still some time away, and the threat from compromised credentials is a reality now.
Consequently, LAS IT is recommending that everyone change their passwords at least once a year. Several users have passwords that are two, three, four...up to 16 years old. (Those passwords could get an Iowa driver's license!) For anyone with a password over four years old, we believe a password change is urgent and should be carried out before the end of this term. For everyone else, we recommend a password change sometime before the end of the first full month of Fall classes.
Putting four years in perspective: if only one person each day (Monday through Friday) was present when you typed your password, at the end of four years, there have been over 1000 chances for someone to learn your password. One thousand chances that someone could learn a few characters that might give them access to grades, research, or other potentially confidential material. This is a conservative estimate, and many of us type our password in other people's presence a dozen times a day. Add to this password collection from insecure services & accidental entry in non-password fields and the need occasional password changes becomes apparent.
Password changing procedures are outlined for Apple OS X and Microsoft Windows below; however, before diving in, please review the following password security guidelines:
Passwords must be 8 to 127 characters long and contain at least two of the following classes of characters: lowercase letters, uppercase letters, numbers, and punctuation.
Do not use your Iowa State password for non-ISU sites and services (NetFlix, Twitter, etc.) Doing so allows a compromise of a non-ISU site to in turn compromise the university. If you are feeling overwhelmed by passwords, talk to your local IT support about password management solutions (LastPass, DashLane, 1Password, RoboForm, KeePass, etc).
If a user is only using their Mac (and are using Active Directory Mobile accounts), the easiest way to update their password is to go to System Preferences -> Users & Groups and then choose “Change Password.” That will update AD, their cached FileVault credential (if encrypted), and their keychain all in one action.
If they’re using multiple devices, or choose to use ASW, the recommended steps are:
2) Upon restarting, the Mac will likely still need the old password (if encrypted).
3) Users should then be taken to the login screen. They should use their new password. (This assumes they’re on-campus and can connect to a domain controller for authentication.)
4) The user will likely be prompted for a password to update their “login” keychain.
a. Choose "Update Keychain Password"
b. Supply the old password
5) All credentials should be synchronized at this point.
Domain joined and attached Windows computer
1) Press Ctrl-Alt-Del
2) Click Change A Password
3) Type in the old password, then the new password twice, Enter.
Web Link to change passwords
After changing your password, update the password on all mobile devices that make use of ISU NetID credentials.
Do not change your password and then change it back to what you had before. In addition to negating the benefits of a password change, this will have a negative effect on your Office 365 email and possibly other services.
If you have an IASTATE domain-joined Windows computer that is not connected to ISU and you use an ISU NetID to log on to it, it should still accept the old password until it is connected inside ISU (or with Cisco VPN) so that it can contact the domain controllers and the cached password can be updated properly.