An Information Security publication for the WPI community.

In this issue:

  • WPI Account Password Protocol Changes
  • Even More Multi-Factor Authentication!
  • Cybersecurity Training for Employees
  • WPI Departure Tips

WPI Account Password Protocol Changes

Information Security continues to review best practices for account safety, taking into consideration both usability and impenetrability. The combination of multi-factor authentication with a password of 10 or more characters (16 recommended) provides excellent security! Over the next six months password protocols will change for all WPI account holders.

The updated WPI password requirements and recommendations align with the National Institute of Standards and Technology (NIST) guidelines. Since 2014, NIST, a U.S. federal agency, has issued requirements and controls for passwords. WPI is adopting the latest NIST password guidelines, which were updated in 2020. The new NIST guidelines are based on numerous studies of human behavior and efficiency when it comes to passwords. They provide best practices for creating strong, effective passwords rather than outdated policies that lead to weaker and easy-to-hack passwords.

Here’s a summary of the new WPI requirements based on the NIST guidelines:

1. Password length: The minimum password length is 10 characters as of May 16, 2022. WPI Information Security recommends using a 16-character password.

2. Password complexity (e.g., requiring at least one upper- and lowercase, numeric, and special character): WPI requires use of special characters (one uppercase, one lowercase, one numeric or special character).

3. Checks for “known bad” passwords: WPI will check new and changed passwords against a list of common or previously compromised passwords (from dictionaries, previous breaches, keyboard patterns, and contextual words).

4. Failed attempts: WPI will allow a limited number of failed password attempts before being locked out of a system or service.

5. Password expiration: WPI will not require users to change their password at a defined interval (180 days) as of November 18, 2022.

6. Require using MFA: WPI requires the use of MFA as an out-of-band authenticator. MFA is required for all access to WPI networks and applications.

7. Recommend using a password manager: To avoid using the same or similar passwords across multiple accounts, you should consider using a password manager that generates random passwords stored in an encrypted format that only you can access via a master password. This “one-password to rule them all” approach is widely accepted by the security community and can be found in LastPass, 1Password, Nord Password Manager, and KeePass.

Digital Identity Guidelines from NIST

Minimum 10 Character Passwords

Beginning May 16, 2022 as passwords are changed by account holders, they will require at minimum 10 characters. They can be longer if you choose. At least 3 different kinds of characters (uppercase, lowercase, numeric or special) must be included. A few password reminders:

  • Avoid dictionary words; they are easy for algorithms to crack even using letter replacement by special characters such as @ for a or 0 (zero) for O
  • Use a unique password for your WPI account.
Table displaying password characteristics and length of time to be hacked.

Additional information about password safety, using passphrases, etc. is on the WPI Hub.

WPI Account Password StandardCreate a Secure PasswordPassword Safety

Removing 6 Month Password Expiration

Presently, WPI account passwords expire every 180 days. As the date approaches, account holders receive an email reminder to change their password. This will continue through the next several months, providing all account holders an opportunity to establish a password of 10 characters or more.

Beginning November 18, 2022, the expiration will be removed and password resets will no longer be required. Of course, you may still choose to establish a new password at any time using Self Service Password Reset.

Change Your WPI Password

MFA Everywhere

Multi-Factor Authentication (MFA) will protect all connections to WPI services and systems beginning May 24, 2022. WPI account holders are already using MFA for most connections, so there will be little obvious impact. Expanded MFA has prevented numerous hacking attempts, and is a vital tool for Information Security when investigating issues. This is a great time to ensure that you:

  • Have several verification methods in place.
  • Always verify that the MFA challenge is coming from you!
April 2022 brute force attempts rose but zero WPI accounts compromised

If you need assistance with MFA please do not hesitate to contact the IT Service Desk.

Configure Multi-Factor Authentication

Cybersecurity Training Reminder

Information Technology, Talent & Inclusion, and the Provost’s Office have partnered to deploy a short, phishing and ransomware on-line training series for all employees. This series is comprised of two 5-minute videos: Cybersecurity Short: Avoiding Phishing Attacks and Ransomware Awareness.

Talent & Inclusion has  assigned this training series through the WPI Learning Academy, our on-line learning platform.  We ask that you find time before May 31st to complete them.

WPI Learning Academy

Departing WPI?

If your journey at WPI is coming to a close soon, here are some recommendations from Information Security for a smooth transition:

  • Change notifications using your WPI email to an alternate email address.
  • If you own a site, group, or team, ensure there is at least one other owner who is not departing.

More tips are at:

Departing Resources