Indianapolis university ditches six-month password policy

Technology > IT

Photo by: Butler University via Wikimedia Commons



The Information Technology Department at Butler University in Indianapolis announced that it is getting rid of the requirement for faculty and students to change their passwords every six months.  

The rule that requires students and faculty members to change passwords is widely used across the US in most campuses.  This practice bolsters security and the protection of sensitive information for those on the campus network.  A new report put out by the National Institute of Standards and Technology (NIST) states that the 180-day policy of changing your password doesn’t mean that your information is more secure, therefore Butler is doing away with the requirement.  

Several American institutions including Butler and the U.S. Government themselves look to the NIST for guidance with IT matters.   

Zach Skidmore, an information systems analyst and 14 year veteran in Butler’s IT department said: “There’s always been a lot of pain and strife around password expiration.” He added, “If the government’s okay with this, then it is certainly something to consider for our own organization.” 

However, not all at Butler are on board with this change.  A sophomore management information systems and accounting major, Mason Rinks said “Taking a week to learn a new password is worth not having a lifetime of someone impersonating you online.  Every half a year, having to change your password is not too big of a hassle.”

Sophomore computer science and finance double major Leo Martin, meanwhile, does not agree with Rinks, stating “I looked into that [NIST] report and frankly the results are not surprising,” He added, “If a skilled hacker truly wants access to your account, they will find a way to get your password in one way or another. The last time you changed it is pretty irrelevant to them.”  He also said, “Based on a password strength test I ran, it would take about five million years to correctly guess a password created using the minimum standards Butler IT requires.”

NIST maintains in its publication that it has not found any benefit in changing passwords every so often for IT safety.