New Password Policy
Effective May 2021, Duke implemented a new password policy that eliminates the need to change NetID passwords, unless compromised, for most users. The new policy is in alignment with national standards that suggest short passwords, that are changed frequently, are less secure.
The updated password policy removes password expirations and will no longer require Duke Health users and sponsored guests to regularly update passwords associated with their Duke NetID, which is synced with all users’ Duke Health Enterprise (DHE) accounts. In addition, the option to update passwords using CTRL+ALT+Delete is no longer available.
How to Update Password
When users’ passwords expire a final time, each will receive an email to create a new password that will not expire. However, Duke Health users and sponsored guests do not have to wait for their current password to expire and can update their password anytime via the OIT Account Self Service Portal.
Tip: If working remotely (at a non-Duke site) users should connect to the Duke Virtual Private Network (VPN) before updating passwords (see page 29 of the Technology Toolkit for more information about the VPN).
Why is Duke Changing the NetID Password Policy?
The National Institute of Standards and Technology (NIST) has established that updating passwords regularly does not generally increase security or enhance usability. NIST also found that when passwords are updated frequently, users resort to workarounds that can ultimately decrease the effectiveness of security controls.
What are the criteria for creating a new password?
Passwords must now be at least 12 characters and pass a basic complexity check. How you create a complex password is up to you; specific format requirements (such as special characters) will no longer apply.
Once I create a new password, will I have to update my password again in the future?
You will only be required to update the password associated with your NetID and DHE accounts if there is indication that your account has been compromised.
What happens if my password is compromised?
If you think that your password has been compromised, immediately change it by visiting the OIT Account Self Service Portal and contact email@example.com.
Will I still be able to change my password using CTRL+ALT+Delete?
No, the ability to update a password using CTRL+ALT+Delete will no longer be supported. The only method to update passwords is by visiting the OIT Account Self Service Portal.