Stronger SUNet passwords to enhance account security at Stanford

New standards mean SUNet users can choose passwords that are short but complex, or longer and less complex. Most campus users will be prompted to update their passwords in the coming weeks.

Information security incidents continue to make the national news on an almost daily basis. Some of the most important measures individuals can take to protect themselves online are fairly simple: Choose strong passwords, change them periodically and use two-step authentication wherever possible.

As part of Stanford's continuing effort to bolster information security, the campus is adopting stronger requirements for SUNet account passwords. The new standards were developed in consultation with faculty in the Computer Science Department.

In order to implement the new standards and as an important step in recovering from last summer's cybersecurity breach, most users across the campus will once again be prompted to change their SUNet passwords in the coming weeks.

"These updated standards reflect best practices that we believe are important to protecting Stanford's data, working in combination with other enhanced security measures we have been implementing," said Michael Duff, chief information security officer for Stanford. "We expect the change will be simple for users but will make a meaningful improvement in our security posture."

New standards for passwords

Under the new standards, the minimum SUNet password length will remain at eight characters, but passwords of that length will need to contain a mix of upper- and lower-case letters, numbers and symbols as well as pass additional strength checks. By progressively relaxing the complexity requirements at 12, 16 and 20 characters, the campus will encourage adoption of longer passwords, which are more resistant to so-called "brute force" attacks.

Passwords of 20 characters or more will be permitted to include any characters the user chooses, including lower-case letters alone, which is ideal for mobile devices.

The new requirements and additional tips for creating strong passwords are summarized on the IT Services website. An informational graphic providing an at-a-glance guide to the new password requirements also is available.

To launch the new measures, all users who have not changed their SUNet passwords since Nov. 22 will be prompted to do so in the near future. The Nov. 22 date is when a new, heavily fortified user account infrastructure was deployed in response to the campus cybersecurity breach last summer. Members of the campus community will be prompted to update their passwords on a rolling basis.

Each SUNet account owner will receive five days of notice before a password change is required. Notification will be provided via email (containing no web links) and on the WebLogin page, which is displayed whenever a user logs into a SUNet password-protected web application on the Stanford network, such as Axess, Box or Zimbra.

After the five days have elapsed, the user will be required to change the password the next time WebLogin is accessed, and the previous password will stop working. SUNet passwords configured in applications such as email on mobile devices will need to be updated accordingly.

SUNet account owners can change their passwords at any time by visiting the Accounts page of the Stanford website, clicking "Manage," then selecting "Change Password."

Duff acknowledged that no single security measure, including the strongest possible password requirements, can prevent every online attack. Strong passwords do make a difference, he said, and the university's two-step authentication system, which periodically requires entry of a second code to gain access to SUNet accounts via the web, has significantly strengthened SUNet account security as well.

Improvements coming to two-step authentication

Duff said the two-step authentication system will continue to be expanded and improved this year, with additional options offered to enhance ease of use. He also encouraged Stanford computer users to change their passwords periodically on a voluntary basis, given the prevalence of attacks such as phishing that are designed to steal account credentials.

"While we have no reason to believe that SUNet credentials were impacted by the recent Heartbleed bug that received international attention, the Heartbleed episode is a reminder that new information security threats are emerging all the time," Duff said. "Although only a portion of the university population must change passwords periodically per regulatory requirements, doing so is recommended for all as an important defense against these threats, which often go undetected for years."

Assistance with password issues can be obtained from IT Services by submitting a HelpSU request.