Fall 2017 security changes and information

​Overview

During the fall semester in 2017, OIT is introducing a couple of changes intended to improve security at CMU, both immediately and going forward. One of these releases is a simple video that details password security, phishing awareness, and where to find additional resources. The other change requires everyone with a CMU account to change their Global ID password annually.

Security Video

 

The above video details only a few points about account security, but these are some of the most important parts about account security. 

Password security

It's especially important to make sure to use a password that is both strong and unique to CMU. Not only can your account be used to access your personal and financial information, but CMU employees have access to sensitive data that must be safeguarded from outside access.

Using a unique password for your CMU account ensures that your Global ID password is not leaked in the event that another, external service is compromised. These days, it's almost routine to hear about a large, online service losing sensitive data. This includes the most recent Equifax breach, but the group also contains some notrious breaches like those at Target and Home Depot. In these cases, if you used the password for one of those accounts, and if it was possible to associate that with your CMU email address, your account could easily be compromised.

Phishing

We've covered phishing pretty extensively in the past, so you should also consider checking out our monthly security update focusing specifically on phishing. Notably, you should always be on the lookout for suspicious messages, and make sure to do a "skeptical hover" over links to make sure they go where you're expecting.

If you're ever in doubt, you can always contact the OIT Help Desk to verify the legitimacy of any messages you receive.

Additional resources

The video also references additional resources available to you. Since you're reading this page, it seems that you've already found them! On our OIT Security site, you can use the navigation on the right to access our different security pages.

Requirement to watch the video

As a part of the release of this video, we're putting in a CentralLink "popup" on October 2 to increase the visibility of these important security topics. We feel strongly enough that everyone at CMU should watch this video that you will be prompted daily in CentralLink until you check the box to affirm that you have watched the video.

By the way, if you've already watched the video embedded above or through Youtube, you can dismiss the CentralLink pop-up, guilt free!

Annual password change

Beginning on October 9, OIT will begin the process of requiring that Global ID passwords be reset annually. Here's what you should expect.

October 9 - November 8

While we're beginning these changes on October 9, there will be a "grace period" extending until November 8. This means that the new features described below will be in place on October 8, but we will not force password resets on any accounts until November 8. If your password is set to expire within 30 days, you will see this indicated when you log in to CentralLink.

Password expiration warnings on login

If your password is 335 days or older, meaning that your password will expire within 30 days, you will see a message indicating your upcoming password expiration when you log in with your Global ID. If you see this message, please reset your password at the earliest available opportunity to prevent your password from expiring.

Please note that CMU will never ask you for your password, and this warning will only appear on the official CMU login page. If you see this message anywhere else, whether in email or on a suspicious web page, please report it to the OIT Help Desk.

Password expiration

If you do allow your password to expire, OIT's primary goal is making sure that you are able to change your password and regain access to your account. As such, if you attempt to log in at that point, you will instead be redirected to https://myaccount.cmich.edu where you will be able to reset your password. You will not be able to log in until your password has been reset.

Make sure to update your stored passwords

After you change your password, you'll need to make sure to update your stored passwords on mobile devices, password managers, and certain computers.

Mobile devices. It's easy to update your password on mobile devices. Just follow our Office 365 setup guide, and just change your stored password during the setup process.

Password managers. Many people use password managers to store and access their account credentials. If you use a password manager, make sure to update your entry for your Global ID.

CMU-owned Mac computers. This doesn't apply to all CMU-owned Mac computers, but if you use a Mac that you have to sign into with your Global ID and password, you should update your account's Apple Keychain to match your new Global ID password. Apple provides helpful instructions for updating your Keychain password on their support site.

Frequently Asked Questions

I just want to change my password. Where can I do that?

You can reset your password at any time by visiting https://myaccount.cmich.edu. On that page, once you're logged in, you will be able to change your password.

While you're changing your password, check out our improved password requirements, put into place this past summer. With these new requirements, you can create passwords that are both longer and simpler to remember.

I can't remember when I last changed my password. How can I tell? What can I do?

If you're not sure, your best bet is to change your password. It never hurts!

Right now, there isn't a way that you can confirm the exact date when your password was last reset. However, you will see a warning when you log in beginning 30 days before your password expires. If you see that warning, you should change your password as soon as you can to prevent being locked out of your account.

Why am I required to watch this security video?

The unfortunate reality of today is that large-scale security breaches have become commonplace amongst even the online services that people feel they should trust the most. Whenever one of these companies experiences a security breach, scammers have more information to work with. One of the best ways to ensure your privacy and security is to be aware of these basics of information security. Awareness is the best defense against cyber criminals.

I'm getting a CentralLink popup indicating that I need to watch that security video. Do I have to watch it right now?

You don't have to watch it immediately, but you really should watch it as soon as it's convenient to do so. If you've already watched the video, either through the embedded player above or directly on Youtube, feel free to just check the box affirming that you've watched the video.

If the timing is too inconvenient, feel free to just dismiss the message without checking the box. The popup will appear again the following day. In the meantime, feel free to watch the video above or on Youtube.

Why is OIT enforcing annual password changes? I heard that frequent password changes don't actually improve account security.

Industry studies on the effectiveness of password change frequencies have widely varied results, and CMU has decided on a moderate approach of one-year password expiry. We believe this meets our goals to increase account security while minimizing inconvenience to the CMU community.

Some of the information in the video and online materials suggest using a "passphrase" for my password. What is a passphrase, and why should I use it?

For CMU's Global ID password requirements, we define a "passphrase" as being anywhere from 20 - 29 characters. Of course, that only pertains to password length. The real value of using a passphrase is that we do not require the use of any special characters, uppercase letters, or special symbols in your password as long as it meets the passphrase length requirements. This means that you can create a strong password that is also simple to remember--and is much easier to enter on mobile devices.

Okay, I'm sold. I'll change my password right now. What else should I be aware of when changing my password?

That's great news! Changing your password is easy enough to do, but it does mean that you need to update your password anywhere that it's being used. For example, if you use Outlook to connect to your email, or if you have your email configured on your phone, those account connections will need to be updated with your new password. The same goes for other apps like OneDrive or even for passwords you have saved in your web browser. (By the way, you shouldn't allow your web browser to remember your Global ID password.)