In the spring of 2023, Anne Arundel Community College implemented a new student and employee portal while transitioning from ADFS to Azure SSO for authentication. This change required users to log in using their full institutional email address instead of a username, which was a significant adjustment for faculty, staff, and students. Initially, AACC planned to retain its existing password policy, which required a minimum of 8 characters, and a combination of three out of four elements: uppercase letters, lowercase letters, numbers, and special characters. The policy also enforced a 90-day password expiration cycle for employees, with reminder emails sent beginning 14 days before expiration. After several months of using Azure SSO, AACC’s IT division discovered that Azure was not enforcing Active Directory (AD) password expiration rules as ADFS had done. This issue allowed employees to continue accessing services with expired passwords through Azure, while access to services tied directly to AD, such as wired network connections, would prompt users to change their passwords. As a significant portion of employees worked remotely, many were unaware that their passwords had expired and continued to use them without interruption. To address this oversight, the IT security team collaborated with the service desk to develop a solution to restore the 90-day password reset cycle. However, after assessing the complexity of enforcing this change, which would require extensive support and cause disruptions, AACC opted for a different approach. The situation presented an opportunity to realign the college’s password policy with the latest National Institute of Standards and Technology (NIST) guidelines. According to NIST, frequent forced password changes are no longer recommended when strong password requirements and multi-factor authentication (MFA) are in place, as periodic changes can lead to poor password habits like reusing or slightly modifying old passwords, making them vulnerable to breaches.
