You may recall that last year we started a process to require
annual password changes. We suspended implementation as we tried to
develop a better way to integrate with the AD system. Ultimately, in
mid spring semester we realized that that integration was more
time-consuming than we'd expected and concluded that we should
implement without it for now.
So we're proceeding with the systems we have in place for
supporting and enforcing password changes.
But, mindful of everyone's concern a year ago about the workload
this might generate for Client Services and Distributed Support staff,
and about the disruption it might cause some of our clients, we're
proceeding with a pilot group of 100 clients initially. Those clients
will receive personalized emails on Tuesday in a form like this:
The UVM Helpline phone has been updated with password change
information to help our customers and verify that the message is really
from UVM and not a phishing attempt.
I believe we've been very effective in educating the UVM community
about password-harvesting scams, and so it's likely many in our
community will ignore the email. We're hoping that they will at least
talk with a support-provider they trust, or call the Helpline. So if
you do get calls questioning the authenticity of the email, please
confirm that they're talking about THIS email notification (and not
some scam) and then reply "yes, you'll need to change your password"
and make sure they're using the correct link (https://www.uvm.edu/account/).
We'll be using this pilot of 100 clients, broadly distributed
across campus but all with very old passwords, to gather information
about how to handle this more effectively and efficiently as we scale
this up across campus. As always, your observations and advice will be
very much appreciated.