Duke Health Password Policy Update

By | April 22, 2021

April 26, 2021


A bus station is where a bus stops.  A train station is where a train stops. 

A computer workstation is where … hey, wait a minute …


The research is out.  Nationally recognized standards suggest that short complex passwords, even if they are frequently changed, are less secure.  Duke is evolving its password policy to reflect this standard.  Beginning May 5, Duke Health is adopting a policy that requires a longer password while no longer requiring users to regularly change their passwords.

Here’s what you need to know …


But first, here’s our Tech Tip of the Week …

Have you ever been on the phone with tech support and they tell you to clear your cache?  You either open the menu to find the option or ask how to do it.

Here’s a shortcut for the next time you need to do this.  Press Ctrl+Shift+R.  It will clear your cache and refresh the page.

Yes – it’s that simple.  Try it.


The Basics

In early May, Duke will implement a new password policy, eliminating the need to change NetID passwords, unless compromised, for most users. The new policy is in alignment with national standards and introduces the following changes:

  • You will no longer be required to change your password every 180 days.
  • Your password will need to be 12 or more characters meeting basic complexity requirements.
  • You will no longer be able to use CTRL-ALT-DELETE to change your password.

Why the new policy?

Hackers have gotten surprisingly good at cracking passwords and they have a wide variety of tools to help them.  Passwords following older standards are becoming increasingly easier to hack.  Studies show that a longer password is safer than a shorter password, no matter how complex.

Here’s a table that shows how long it takes to hack a password using current technology.  I’ve highlighted the new Duke standard – 12 characters.

When you create your password, a long password with numbers, symbols, upper- and lower-case letters is best.  My current password is 18 characters containing numbers, upper- and lower-case letters, and symbols.  Next week, we’ll talk about easy ways to create very long yet memorable passwords.

The National Institute of of Standards and Technology (NIST) has determined that frequently changing passwords does not generally increase security or enhance usability.  They also found that by requiring frequent password changes, security administrators are causing users to resort to workarounds that ultimately decrease the effectiveness of the controls.


What’s Next?  Frequently Asked Questions …

When do DUSON users need to change their passwords?

Not yet – the new policy goes into effect next week.  We’ll send an IT Alert when it’s time for you to change your password.

What are the guidelines for the new passwords?

Your password will need to be 12 characters or greater.  Specific formats will no longer apply – you can create password complexity on your own.

Once the policy goes into effect next week and I change my password, how often will I need to change it?

After this policy goes into effect next week, you will only need to change your password if there is a possibility your account has been compromised.

What happens if my password is compromised?

Contact the Duke Security Office immediately if you feel your password has or may have become compromised.

Will I still be able to change my password using CTRL-ALT-DELETE?

This is no longer supported.  Change your password by visiting the OIT Account Self-service Portal.


Missing Our Campus?

Our Duke Photo of the Week is The Sower, a statue on the southeast corner of Duke’s East Campus which was purchased by James B. Duke in 1914.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.