As part of the continuing efforts to improve computer and information security on campus, periodic mandatory password changes for PAWS/Windows accounts will be soon be required at least every 60 days. This is a necessary step in securing the University's information resources and for compliance with recent legislation addressing information security. We are currently in the process of activating this feature of PAWS for faculty and staff, and it should be activated for students by March 2005.

How will this affect your account?

Once this feature has been activated, if you have not changed your PAWS password in the last 60 days, you will be required to change your password the first time you attempt to login to PAWS. If you have changed your PAWS password within 60 days, you will not have to change your password until 60 days have passed from your last password change.

How will you know the number of days remaining on your current password?

When you are within 10 days of needing a new password, a box will appear at the top of the left frame of your PAWS desktop indicating how many days you have remaining on your current password. This box will also have a link that you can use to direct you to the PAWS Password Change application.

How will you know when a password change is required?

If you attempt to login to PAWS and 60 days have passed since your last password change, you will be redirected to a page which explains that your password has expired and will give you the opportunity to change it there. You will not be able to login to PAWS and get your full PAWS desktop again until you have successfully changed your password. Once you have completed this process, you will receive a message indicating that it was successful, and then your PAWS desktop will be loaded in your browser.

What is required in a PAWS password?

A PAWS password must be at least 6 characters long, and at least one of those characters must be a number.

What is recommended of a PAWS password?

You should use a long, complex string or phrase when choosing a password. You can develop a password from an easy to remember phrase by using the first letters of each of the words in the phrase, substituting numbers for some of the vowels, and adding some special characters. For example, the phrase "My dog is a Poodle and his name is Spot!" might yield "Md1aP&hniS!". But don't use this example. Be sure to make up your own.

Why is this being done?

There have a been a number of questions regarding the reasons for implementing password aging and whether it is effective in reducing password compromise. The theory on the effectiveness of password aging is that it assists in reducing "at leisure" attacks. In layman's terms, if a password never changes, a cracker has the unlimited time necessary to break a password. In case you are not familiar with the term "cracker", a cracker is a person and/or program used to decipher encrypted passwords.

There are several compelling reasons for the decision to implement password aging:

1. Password policies are mandated by current interpretations of Federal legislation--FERPA, HIPAA, and GLBA.

2. Password aging is mandated by pending LSU system-level policies.

3. Password aging is recommended by industry standards (ISO 17799).