Carleton has adopted a new password security policy and will be requiring a campus-wide password reset between December 6th, 2021 and February 7th, 2022 for all faculty, staff, and students.
Why?
Over the past six months, Carleton has been affected by the increased cost of cybersecurity insurance. This is due due to the large payouts for ransomware around the world and an increase in security requirements. Additionally, we have received specific security advice about our current password requirements from the college’s auditors, Clifton Larson Allen. We are taking this step to protect our data and systems.
How Does it Work?
On December 6th you will see a notification on the Carleton login page that you will need to change your password between now and February 7th.
Password Requirements
ITS reviewed the National Institute of Standards and Technology (NIST) password guidelines, as well as the recommendations from our auditors, to develop these new password requirements:
New password requirements
- Passwords must contain at least 15 characters.
- Users can change their password anytime between Dec 6th and Feb 7th.
- Passwords will be checked against a list of leaked passwords.
- The college will follow NIST standards, e.g. no forced complexity requirements and no forced password expiration (except in the case of a compromise).
- Users are encouraged to use a personal password manager (for their Carleton and personal accounts), such as LastPass, Google Password Manager, or Apple Keychain.
Next steps
ITS will send periodic updates before Feb 7th to those who have not changed their password.
On mid-term break day (February 7th) at 8am, the stronger passwords will be required. In other words, any user who has not changed their password since December 6th will find that their login will not work. They will need to use their password reset questions or call the Helpdesk for support changing their password.