Changes for Passwords

Effective Nov. 10, 2024, OSU/A&M identity management system account passwords will no longer expire. This change will take effect the first time you update your password after Nov. 10.

 

New Password Requirements

• The minimum password length will be 14 characters. The maximum password length will be 32 characters. 

• Upper- and lower-case letters will be required. 

• Passwords will be able to utilize ASCll characters, including spaces. 

• Passwords will not be able to match any previous password.

• Passwords will not be able to contain three or more repeating values/sequential characters (i.e., 111 or aaa).

Recommendations for New Passwords

Using strong, easy to remember but hard to guess passwords is important to maintaining digitial security. With these new changes one recommendation is to use a passphrase.

 

Passphrases are short, memorable sentences. These could be related to you personally or even something with the university, for example, “The Home Of 55 National Championships” (But don't use this one!). 

 

Changes for Multifactor Authentication 

Beginning Nov. 10, logging in will require authentication using Duo Mobile either through the Duo Mobile App, SMS, or a fob. OSU's Duo will no longer offer phone calls as a verification method.

 

Frequently Asked Questions

• Why does my password have to be 14 characters?

  The National Institute of Standards and Technology found that password length is a primary factor in characterizing password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords. The 14 character minimum helps ensure passwords and the data they protect are safe. 

   

  New passwords will be able to include dictionary words and ASCII characters, including spaces, and passphrases are encouraged. These make remembering, and quickly entering longer passwords easier. 

• Can I use dictionary words in my password or passphrase?

  Yes, dictionary words will be allowed. However, some words related to OSU that would would make passwords easy to guess will be prohibited (like cowboys).

• Can I still use Yubikeys or other hardware fobs for multifactor authentication?

  Yes, the use of hardware for MFA is permitted. 

• Can I use a cloud-based password manager? 

  Yes, users are not prohibited from using cloud-based password managers for password generation or storage, such as Bitwarden. 

• How long are Duo Mobile App passcodes valid?

  Duo Mobile App passcodes must be use within 30 seconds. 

• Why is the 'verified push' method being implemented?

  The 'verified push' method is being implemented to prevent push authentication exhaustion, which occurs when users receive multiple Duo Push notifications and eventually accept one, potentially allowing unauthorized access. 

• Why is phone call authentication being removed?

  Phone call authentication is being removed to help protect against spoofed calls, hijacked SIM cards, or intercepted/proxy calls.

• Will the same Duo applications be used for this change?

  Yes, the same Duo application will be used. 

• What should I do if my mobile device is broken or inaccessible?

  The EIT Helpdesk can provide a temporary bypass code. Your identity will need to be verified, and then a bypass code will be generated and provided to you. 

• Will there be any changes to the Duo Portal or authentication process?

  No, there will be no changes to the Duo Portal or the authentication process. The portal will still look and operate the same, and the authentication process will still allow users to 'Remember Me.'

• Is MFA required for service accounts?

  MFA is not required or should not be prompted when accessing a service account on campus. 

• How should service accounts be set up for email?

  It is recommended to set up owners on the account with mail rights. This allows the account to be opened within their own account instance in Outlook or as a separate account in a different tab. 

• Can users be set up in Duo on the service account? 

  Yes, users can be set up in Duo on the service account, allowing them to select their own device to authenticate through MFA when promted. 

• What happens when accessing multiple machines?

  Accessing multiple machines will force new logins and MFA authentication, as it is the identity being protected, not necessarily the device. The 'Remember Me' option should be used as necessary to reduce multiple authentication prompts. 

• What if the system application cannot accept the three-digit code?

  If the system application cannot accept the three-digit code, the default push of accept or deny will be used.