Campus ID News
Card, mobile credential, payment and security
password 1

Indiana University combatting fraud with robust password policy

Andrew Hudson   ||   Oct 12, 2018  ||   

It's a potentially damaging practice, particularly for universities, with many student and faculty users and valuable assets all protected by passwords.

With this in mind, researchers at Indiana University have examined the practice of password reuse and posited ways to mitigate the risks associated with this insecure practice.

According to research conducted at the university, longer minimum passwords are the most effective way to reduce potential exposure in a third-party data breach, as well as prevent password reuse. The work being conducted by the group of researchers points to a simple way to foil criminals intent on breaking into university data.

Requiring longer and more complicated passwords resulted in a lower likelihood of password reuse, according to research findings from "Factors Influencing Password Reuse: A Case Study." The authors of the paper are Jacob Abbott, an IU Bloomington Ph.D. student; Daniel Calarco, chief of staff for the IU Office of the Vice President for IT and CIO; and L. Jean Camp, professor in the IU Bloomington School of Informatics, Computing and Engineering.

To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including IU. The research then extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to university domains, passwords were compiled and compared against a university's official password policy.

The findings were clear: Stringent password rules significantly lower a university's risk of personal data breaches. Some highlights from the report:

  • Passphrase requirements: a 15-character minimum length deterred the vast majority of IU users (99.98%) from reusing passwords or passphrases on other sites.
  • Universities with fewer password requirements had reuse rates potentially as high as 40%.
  • Analysis found that IU performed the best of the 22 examined universities -- and had the most extensive password requirements.

"IU has worked with security and usability faculty to design our password policies, with the result being policies that value people's time while mitigating risk," says L. Jean Camp, professor in the IU Bloomington School of Informatics, Computing and Engineering. "The length and complexity are balanced by the extended period before new passwords must be generated and the use of a longer authentication time window for applications. Indiana University's rollout of two-factor authentication is similarly a model."

In addition to its findings, the researchers offer some recommendations to safeguard university personnel and the general public:

  • Increase the minimum password length beyond 8 characters.
  • Increase maximum password length.
  • Disallow the user's name or username inside passwords.
  • Contemplate multi-factor authentication.
  • Multi-factor authentication is becoming more common and usable. IU, for example, employs Two-Step Login. Multi-factor authentication may be a viable alternative to changing the length and complexity of password policies.
Subscribe to our weekly newsletter


May 26, 23 / ,

Penn State adds mobile ordering to campus app

Penn State has added a mobile ordering feature to its comprehensive campus mobile app, Penn State Go. The Penn State Eats Mobile function is available for use by students on the flagship University Park campus, as well as across the university's Commonwealth Campuses.
May 26, 23 / ,

NAU leverages delivery robots to support late-night dining

Northern Arizona is leveraging Starship delivery robots and the mobile ordering app in a clever way to prop up late night dining, and putting a twist on the ghost kitchen concept. The university has launched its Hole in the Wall dining window that now serves either pickup or robot delivery for students by offering a number of dining concepts all from a single, concession-style window.
May 25, 23 / ,

HID's Technology Partner Program helps companies develop mobile solutions

Trusted identity solutions provider, HID Global, has announced its HID Origo Technology Partner Program, the company’s first program dedicated to partners with a focus on mobile technologies. The Origo Technology Partner Program is designed to help technology partners by providing the ideal platform for organizations to design, test, and market products that integrate with HID Origo via APIs and SDKs.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.