Upcoming changes to passwords/passphrases and multi-factor authentication

Colleagues:

I am writing to let you know about a few upcoming changes to passwords and multi-factor authentication (MFA) that will not only make our systems and data more secure, but will also make it easier for you to log in to TCC systems. As you know, TCC has required the use of “complex” passwords for quite some time and that we have required that your passwords meet minimum standards of complexity such as having a mixture of uppercase and lowercase letters, numbers and symbols. And we have required that these passwords be changed on a regular basis and that prior passwords not be re-used. These requirements were based on the best security practices at the time and also met the standards required by our auditors. But these rules were never easy to follow and, in many cases, led to systems being less secure due to people doing things like simply changing the last digit on the same basic password or even writing them down. 

Well, times have changed and so have security best practices. The National Institute of Standards and Technology (NIST) is a government agency whose responsibilities include setting the standards for digital identity services for the federal government. These standards include recommendations related to passwords and MFA. And we are now able to implement those best practices at TCC. 

Beginning in early October you will no longer have to deal with complicated rules on password complexity or be required to make frequent password changes. Instead, you will be required to use a passphrase that can be any combination of words, letters, numbers or symbols. This passphrase must meet two criteria. First, it must be 10 characters or longer. If you were simply to combine two words that mean something to you, such as a favorite food and a favorite city (for example,  chocolatenewyork) you can easily meet the 10 character minimum. The second criteria is that your passphrase must not be easy to guess and that it has not been exposed on the internet in a data breach. To meet this requirement Microsoft will evaluate your passphrase when you try to create it. If it is easy to guess or is in a list of passphrases exposed in a prior data breach then you will be asked to select another passphrase.

As a result of you using a strong passphrase we will no longer require you to change it. However, if your TCC account becomes compromised, your computer or device becomes hacked, you fail one of our simulated phishing tests, or have any other sort of data security incident you will then be required to change your passphrase. We do recommend that you do not reuse this passphrase on other accounts (you should never reuse passwords or passphrases) and you can always change it anytime that you would like.

We will also be making changes to MFA in early October. We will be adding the required use of MFA for Canvas, Office365 and other TCC systems. However, instead of your MFA token only being good for 24 hours, we will be changing it so that it is good for 28 days. That means that you will only have to re-authenticate your devices and browsers approximately once per month instead of the current once per day. And we are going to strongly suggest that you use the Microsoft Authenticator app for multi-factor authentication rather than receive a text message since doing so is both easier and more secure.

These changes will go into effect in early October. At that time all employees will be required to create new passphrases so that they can conform to the new passphrase rules. The IT team will be sending you additional information as we get closer to implementation. Also note that later in October we will be requiring students to use the same passphrase rules and they, too, use MFA for Canvas, Office365, Workday and other systems.

I hope that you will agree that the above changes will not only make our systems more secure, they will also be less onerous for you to manage.  Should you have any questions about anything above please feel free to let me know.