MENU

University Wide Password Change Initiative

There has been an incremental rise in cybersecurity incidents globally, including a more than double increase in those aimed towards higher education institutions.

As part of SFU’s overarching IT security strategy and continued work to improve our systems, we will be conducting a university wide password change initiative as part of an annual implementation plan. 

Changing your SFU Computing ID password, along with other security initiatives such as Multi-Factor Identification (MFA), is another way we can enhance our ability to counter cyberattacks and better protect the SFU community. 

Beginning in mid-August 2021 and rolling out in phases, the SFU community will start to receive a prompt to change their password. Please follow the instructions at that time. When it comes to security, you are the first line of defense. Thank you for doing your part

FAQs

What’s happening?

  • There has been an incremental rise in cybersecurity incidents globally, including a more than double increase in those aimed towards higher education institutions.
  • As part of SFU’s overarching IT security strategy and continued work to improve our systems, we will be conducting a university wide password change initiative as part of an annual implementation plan.  
  • Changing your password, along with other security initiatives such as Multi-Factor Identification (MFA), is another way we can enhance our ability to counter cyber attacks and better protect our SFU community. 
  • Beginning in mid-August 2021 and rolling out in phases, you will start to receive a prompt to change your password. Please follow the instructions at that time.

Who is impacted?

This password change initiative will be conducted across the university and will impact all SFU students, staff, faculty, alumni and retirees with an active SFU computing ID.

When is this taking place? What are the timelines?

Beginning in mid-August 2021 and rolling out in phases, you will start to receive a prompt to change your password. Please follow the instructions at that time.

You will be asked to change your password every 12 months from the date of your last change. 

How will this roll out?

  • Password changes would be implemented in phased rollouts with approximately 2,500 SFU staff, faculty, students, alumni and retirees being asked to update their password at any one time.
  • Those with the oldest passwords needing to be changed will be prompted to make the reset first.
  • More information on domain wide password change work as part of initiatives to strengthen SFU’s IT security systems can be found at https://www.sfu.ca/information-systems.html

Why are we doing this? Why now?

  • There has been an incremental rise in cybersecurity incidents globally, including a more than double increase in those aimed towards higher education institutions.
  • We will be rolling out this university wide password change initiative as part of SFU’s overarching IT security strategy and continued work to improve our systems.
  • Changing your password, along with other information security initiatives such as Multi-Factor Identification (MFA), is another way we can enhance our ability to counter cyber attacks and better protect SFU’s systems and data. 
  • The practice of regularly changing your SFU computing ID password is a key action you can take to help support the safety of SFU’s systems and data. Thank you for doing your part.
  • Also, unfortunately, MFA is not yet on every system.
    • For instance, when you log into your desktop/laptop, it is only SFU computing ID/password. The same goes for email as well - except via Outlook Online – along with some other major applications.
    • Our goal is to have all areas covered by MFA, however, this is likely 18 to 24 months out.
    • Password changes will be an additional security measure we can take in the meantime.

Didn’t we change our passwords at the last cyberattack notification in 2019 – Have they been breached again?

  • The practice of regularly changing your SFU computing ID password is a key action you can take to help support the safety of SFU’s systems and data.
  • Passwords have not been breached. We will be rolling out this university wide password change initiative as part of SFU’s overarching IT security strategy and continued work to improve our systems.

If someone has recently changed their password, do they have to change it again now and why?

  • As the initiative will be rolling out in phases, we will not need everyone to change their passwords at the same time (we’ll start with the oldest passwords, working our way to the newest). If your password was recently changed, you will be in a later group and can expect to be prompted to make a change to your password at a later time.
  • The practice of regularly changing your SFU computing ID password is a key action you can take to help support the safety of SFU’s systems and data.

Are passwords at risk because of the recent July 9, 2021, IT outage?

  • No, passwords are not at risk due to the July 9, 2021, IT outage.
  • We will be rolling out this university wide password change initiative as part of SFU’s overarching IT security strategy and continued work to improve our systems.

What will happen if an individual is away on extended leave? Will they be locked out?

If individuals are away for a known extended absence when their password reset occurs, when they come back, the IT Service Desk will be equipped to help recover passwords and assist them to make the change.

If I have challenges changing my password, will there be help available?

Yes, if you need assistance with your changing your password, please contact IT Services at its-help@sfu.ca or call 778-782-8888. 

Why can’t we just rely on MFA to protect user accounts instead of changing our passwords?

  • While MFA helps to reduce the risk of malicious activity by requiring a separate method of verification, there are many services that cannot yet benefit from this type of security enhancement, like applications such as email, Remote Desktop Protocol (RDP) and WiFi. 
  • Strengthening our account management policies helps to reduce the risk to these non-MFA protected applications. However, for the time being, we still need password protection and the practice of regularly changing our passwords in order to enhance our ability to counter cyber attacks and better protect the SFU community. 

Why are we implementing a password change initiative when it is no longer considered best-practice?

  • Changing passwords regularly and implementing a password expiry date helps to limit the use of compromised accounts by attackers for malicious activities. In an effort to provide better account management while adhering to the spirit of best practice guidance, a reset interval that is longer than “90 days” but shorter then “never” is being put into practice. As SFU staff, faculty and students often hold onto their computing ID accounts for life, regularly changing passwords can help mitigate risks for our SFU community members.

Hasn’t research shown that bad passwords can be cracked easily by attackers and so changing passwords is useless?  

  • The one thing we know about the threat landscape is that it is ever changing. During the pandemic, attacks have been increasing in volume and sophistication. 
  • As attacks and the sale of organizational data become increasingly more common, it is important to review our community accounts, such as our SFU Computing IDs, and find ways we can protect better against attacks.
  • The practice of regularly changing your SFU computing ID password is a key action you can take to support the security of SFU’s systems and data. 
  • We also have a state of the art password system that helps users change their password securely and easily, providing as much protection as possible.

Who should I contact with questions or for more information?

  • More information on domain wide password change work as part of initiatives to strengthen SFU’s IT systems can be found at https://www.sfu.ca/information-systems.html.
  • If you need assistance or have questions about your password reset, please contact IT Services at its-help@sfu.ca or call 778-782-8888.