Campus ID News
Card, mobile credential, payment and security
password 1

Indiana University combatting fraud with robust password policy

Andrew Hudson   ||   Oct 12, 2018  ||   

It's a potentially damaging practice, particularly for universities, with many student and faculty users and valuable assets all protected by passwords.

With this in mind, researchers at Indiana University have examined the practice of password reuse and posited ways to mitigate the risks associated with this insecure practice.

According to research conducted at the university, longer minimum passwords are the most effective way to reduce potential exposure in a third-party data breach, as well as prevent password reuse. The work being conducted by the group of researchers points to a simple way to foil criminals intent on breaking into university data.

Requiring longer and more complicated passwords resulted in a lower likelihood of password reuse, according to research findings from "Factors Influencing Password Reuse: A Case Study." The authors of the paper are Jacob Abbott, an IU Bloomington Ph.D. student; Daniel Calarco, chief of staff for the IU Office of the Vice President for IT and CIO; and L. Jean Camp, professor in the IU Bloomington School of Informatics, Computing and Engineering.

To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including IU. The research then extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to university domains, passwords were compiled and compared against a university's official password policy.

The findings were clear: Stringent password rules significantly lower a university's risk of personal data breaches. Some highlights from the report:

  • Passphrase requirements: a 15-character minimum length deterred the vast majority of IU users (99.98%) from reusing passwords or passphrases on other sites.
  • Universities with fewer password requirements had reuse rates potentially as high as 40%.
  • Analysis found that IU performed the best of the 22 examined universities -- and had the most extensive password requirements.

"IU has worked with security and usability faculty to design our password policies, with the result being policies that value people's time while mitigating risk," says L. Jean Camp, professor in the IU Bloomington School of Informatics, Computing and Engineering. "The length and complexity are balanced by the extended period before new passwords must be generated and the use of a longer authentication time window for applications. Indiana University's rollout of two-factor authentication is similarly a model."

In addition to its findings, the researchers offer some recommendations to safeguard university personnel and the general public:

  • Increase the minimum password length beyond 8 characters.
  • Increase maximum password length.
  • Disallow the user's name or username inside passwords.
  • Contemplate multi-factor authentication.
  • Multi-factor authentication is becoming more common and usable. IU, for example, employs Two-Step Login. Multi-factor authentication may be a viable alternative to changing the length and complexity of password policies.
Subscribe to our weekly newsletter


School kids walking
Feb 16, 24 /

Allegion works with leading foundation to deter school shootings, improve crisis response

Security provider, Allegion US, is partnering with The "I Love U Guys" Foundation to contribute to the group’s programs for school crisis response. The goal is to make schools safer together through the development and dissemination of procedures and standard response protocols. In 2006, Ellen and John-Michael Keyes founded the organization after losing their daughter […]
University of New Brunswick mobile credential
Feb 14, 24 /

Mobile credential impacts at University of New Brunswick profiled in new video

  A new video chronicles the impacts of mobile credentials on the students and the administration at the University of New Brunswick (UNB). Featuring interviews with key leaders from IT, finance, security and housing, the video presents a wide-ranging perspective that can help leaders on other campuses share the vision with their administration. The University […]
Should I shred my ID card printer ribbons webinar
Feb 14, 24 /

Do you need to shred used printer ribbons?

It's and age old question - how do I dispose of used card printer ribbons. Are most campus card offices already doing it? When you print an ID card, there is an imprint of the data left on the printer ribbon. When you are done with a ribbon, there is a visual record of the […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Join Jeff Koziol and Robert Gaulden from @AllegionUS as we explore how mobile credentials and proptech are changing on- and off-campus housing.

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.