New Password Policy

April 21, 2021

New Password Policy for Duke Accounts

Effective May 2021, Duke implemented a new password policy that eliminates the need to change NetID passwords, unless compromised, for most users. The new policy is in alignment with national standards that suggest short passwords, that are changed frequently, are less secure. 

The updated password policy removes password expirations and will no longer require Duke Health users and sponsored guests to regularly update passwords associated with their Duke NetID, which is synced with all users’ Duke Health Enterprise (DHE) accounts. In addition, the option to update passwords using CTRL+ALT+Delete is no longer available.

How to Update Password

When users’ passwords expire a final time, each will receive an email to create a new password that will not expire. However, Duke Health users and sponsored guests do not have to wait for their current password to expire and can update their password anytime via the OIT Account Self Service Portal.

Tip: If working remotely (at a non-Duke site) users should connect to the Duke Virtual Private Network (VPN) before updating passwords (see page 29 of the Technology Toolkit for more information about the VPN).

Why is Duke Changing the NetID Password Policy?

The National Institute of Standards and Technology (NIST) has established that updating passwords regularly does not generally increase security or enhance usability. NIST also found that when passwords are updated frequently, users resort to workarounds that can ultimately decrease the effectiveness of security controls.

FAQ

What are the criteria for creating a new password?

Passwords must now be at least 12 characters and pass a basic complexity check.  How you create a complex password is up to you; specific format requirements (such as special characters) will no longer apply.

Once I create a new password, will I have to update my password again in the future?

You will only be required to update the password associated with your NetID and DHE accounts if there is indication that your account has been compromised.

What happens if my password is compromised?

If you think that your password has been compromised, immediately change it by visiting the OIT Account Self Service Portal and contact security@duke.edu.

Will I still be able to change my password using CTRL+ALT+Delete?

No, the ability to update a password using CTRL+ALT+Delete will no longer be supported. The only method to update passwords is by visiting the OIT Account Self Service Portal.

 

Remember: Never use your Duke NetID and password when creating or updating login information on non-Duke systems