Main Nav

How often do you force password changes at your institutions for central credentials?  Do you have different policies for different groups?  Are they enforced by technology or just "suggested best practices"?
Louis Aponte
Weber State University
Ogden, Utah
Desktop Security


Message from

Enforced, everyone is the same, once per year.


Message from

We do 180 days as we could not get 90 days vetted.  We know that PCI requires 90 but feel that we have adequate additional controls in place to justify 180.


- Kevin




Chief Information Security Officer (CISO) and Assistant Vice President

Administration and Finance

University of Cincinnati



TEWG-Region 6 TLO


The University of Cincinnati is one of America's top public research institutions and the region's largest employer, with a student population of more than 41,000.



How often – 90 days

different policies for different groups - No

enforced by technology - Yes



Daniel V. O'Callaghan, Jr., MBA, CISSP

Chief Information Security Officer

Sinclair Community College

444 W Third St, 13-000B

Dayton, OH 45402





At Creighton we force complex password and allow them to live for 180 days. Bryan McLaughlin ISO Creighton University
Message from

We have a 90 day password life enforced by AD GPO.  The GPO is applied to everyone on campus.


Aaron Childs, CCNA

Associate Director, Networking

Information Technology

Please Note: new e-mail address -


Hi Louis,

There are several password policies listed here that discuss expiration length etc. See the “Policies” tab to view all the password policies.

Please let me know if you have any questions, thank you.

Colleen Keller
Electronic Resources Librarian
EDUCAUSE - Uncommon Thinking for the Common Good

4772 Walnut Street, Suite 206
Boulder, CO 80301-2538

At Columbia College:

Complex password without repeats

Faculty and Staff: 90 days

Students: As needed (forgot, so a password reset is initiated)

Different groups: Yes

Enforcement by technology.  Several warnings are sent, then the password will no longer work after the expiration date.  User may reset via self-service.


Kevin Palmer

CIO – Columbia College