UMICH Common Password

Say goodbye to using different UMICH (Level-1) and Michigan Medicine (Level-2) passwords every day! Michigan Medicine is moving to one password.

Sync now to use your UMICH (Level-1) password to login across U-M and Michigan Medicine systems. 

As of April 3, new Michigan Medicine accounts (AMC employees, students, and sponsored accounts) set up their UMICH common password only. Their UMICH password provides access to all Level-1 and Level-2 systems their role assigns to them. More info in the FAQ. 

Benefits

Moving to one, 15-character passphrase comes with many benefits:

  • No more annual resets
  • No required letters, symbols, or number complexity
  • Enhanced data security
  • Fewer Duo prompts when using the ‘Remember Me’ feature, available now
  • Microsoft Authenticator app to reduce M365 login prompts on your phone*
  • And of course, only needing one password for work

*See Microsoft Authenticator install instructions in the Help Center. Continue to use Duo for two-factor authentication.

 

One password is just the beginning

The goal of moving to one, 15-character passphrase is simplicity and security. A passphrase without special characters or annual resets becomes easier to type and remember, making work a bit simpler. The longer passphrase is also harder to hack, strengthening our data security. Read more details about why we're making this change below.

But there are also real tradeoffs. We understand that this change amplifies login fatigue - the frustration felt from using our credentials and Duo many times each day. Moving to a common password will not change where or how many times you are prompted to login, but it is the beginning work to streamline Michigan Medicine's approach to authentication. Learn more about the efforts underway to reduce login fatigue below

Password synchronization: how it works

All employees who work at the Academic Medical Center or have a sponsored account will sync their UMICH (Level-1) and Michigan Medicine (Level-2) passwords through the User Profile Page. Following sync, your current UMICH (Level-1) password becomes your common password and the only one you need for work. 

Estimated time to sync: 5 minutes or less.

The sync process:

  1. Doublecheck that you're on Michigan Medicine Wi-Fi or VPN (VPN required for Michigan Medicine-managed computers only)
  2. Visit the Michigan Medicine User Profile Page and click the sync passwords now button.
  3. After receiving sync confirmation messages via email and text*, update the password used to unlock your computer
  4. Restart your computer (sponsored accounts should log out and close all Michigan Medicine resources in use)
  5. Login with your UMICH password for all logins moving forward! 

Recommendation: sync before you leave for a break, lunch, or for the day. This allows for time to restart your computer and for your UMICH password to update across all applications in our environment.

*Employees must have previously opted-in to receive text updates. You can opt-in on your User Profile page. 

But, what if I don't initiate my password sync? 

You will continue to use your separate Level-1 and Level-2 passwords until your current Level-2 password expires or requires a reset. At that point, you will automatically sync.

FAQ

What are the common password requirements?

UMICH password requirements are listed on your Michigan Medicine User Profile Page. You can also find them in this article: https://teamdynamix.umich.edu/TDClient/30/Portal/KB/ArticleDet?ID=11081

What if my UMICH password doesn’t work following the sync?

If a password sync is unsuccessful for any reason, your Michigan Medicine (Level-2) password will continue to work on Michigan Medicine login pages. If you initiated the sync and received a confirmation email, be sure to follow the instructions to update your device password AND restart your computer. If you have an further issue or question, submit a Help Center ticket or chat with the service desk: help.med.umich.edu/it

What password will I use to login to my Michigan Medicine device following the sync? [CoreImage PC, CoreMac, Kiosk workstation etc.]

Sync instructions will direct users to be on Michigan Medicine Wi-Fi or VPN during the sync process. This will ensure that your device password is updated to your UMICH password at the same time. Following sync confirmation:

  • CoreImage PCs should lock your computer to update the device password, then log back in with your UMICH (Level-1) password. Visit the Help Center for step-by-step instructions.
  • CoreMacs should click on the key icon in your top navigation bar and select sign out. Then sign back in with your UMICH (Level-1) password and follow the onscreen prompts to update the password saved in your keychain. Visit the Help Center for step-by-step instructions.
  • CoreImage Kiosk workstations should open the Start menu following sync confirmation, and click the red X for workstation cleanup to log out of the computer. Then sign back in with your uniqname and UMICH (Level-1) password. Visit the Help Center for step-by-step instructions.

What should I expect after I synchronize to one UMICH common password?

Follow the instructions in your sync confirmation email (delivered to your @med.umich.edu inbox) to update the password used to unlock your computer and restart. Use your uniqname and UMICH password to login to U-M and Michigan Medicine IT systems and applications. Login pages will look and feel the same as they are today, and will continue to mention "Level-2" passwords until all or most employees have moved to one password. Continue to use your uniqname@med.umich.edu email address when logging into Microsoft 365 or office.com. Use the User Profile Page to manage your password and user information.

Do new employees and students have one password?

As of April 3, onboarding notifications for new employees and students direct them to set one password only, their UMICH (Level-1) password. That password is their UMICH common password, and will provide them access to all resources their role assigns them. Once they start, they may ask you what a Level-2 password is but they don't need one and don't need to worry about it!

By December 2024, all of Michigan Medicine will use their UMICH (Level-1) password for most logins, and mentions of Level-2 passwords will be removed from websites across our enterprise.

Note: if a new employee or med student is a U-M current student, alumni, or worked for U-M previously, they have the option to keep their existing UMICH (Level-1) password if it meets current requirements. No additional action is required, this option is built-in to the Michigan Medicine onboarding process.

Is there a deadline to sync my passwords?

You can choose to sync your passwords now OR wait until your current Michigan Medicine (Level-2) password expires in the next few months due to annual reset. We expect everyone at Michigan Medicine will be synced to their UMICH common password by December 2024.

With the UMICH common password, can anyone with a UMICH uniqname and password log in to Michigan Medicine resources?

No, access to specific applications, websites, and programs will remain the same. The only thing that’s changing is that your UMICH (level-1) and Michigan Medicine (Level-2) passwords will be the same. HITS will continue to govern and support access to Michigan Medicine's resources.

Does this password change impact the way I login to specific applications?

No. The UMICH common password is built on top of our existing infrastructure. It does not change our current Michigan Medicine identity structure or technology. While each individual will now use one set of credentials (a uniqname and UMICH password) for daily work, under the hood are still two accounts and two passwords. The common password simply synchronizes your UMICH (Level-1) and Michigan Medicine (Level-2) passwords to offer great simplicity, no annual resets, strengthened data security, and support ongoing efforts to reduce login frequency.

Will resource/system account passwords change?

No, system account passwords will not change or sync at this time. Many teams across Michigan Medicine use system accounts to complete their work. System accounts are used to maintain servers, applications, and other resources. They also include Outlook resource accounts used to send email from a specific address that is not tied to an individual, like HITS-Inform or MM-Employee Message. System accounts have their own passwords and permissions based on each team's needs.

Will email change?

Email will stay the same - Michigan Medicine will maintain the @med.umich.edu email domain and Outlook will remain our email client. To access certain cloud computing services like Office.com, you may be asked to enter your @med email address to trigger the Michigan Medicine login page, where you'll enter your uniqname and UMICH password.

No changes will be made to your email address.

Who at Michigan Medicine is eligible to sync their passwords?

Employees at Michigan Medicine's Academic Medical Center (AMC) and those who have sponsored accounts will sync their passwords. The regional health network is not impacted at this time. 

15 characters seems like a lot and I use my password many times per day.

Moving from six or eight characters to 15 characters IS a significant change. It comes with many benefits, like needing only one password for work, less complexity to type and remember, and no annual resets. Here are some more background on why 15 characters is our new standard:

1) Our password policy was outdated and required immediate updating. In reviewing password policies from peer institutions, many required only a few less characters (usually 10-12 characters) while also mandating complexity and required resets. By moving to 15 characters we can safely drop complexity requirements and required resets, which have been repeatedly shown to make passwords easier to hack yet harder for individuals to remember. Length is a primary factor in characterizing password strength.   

2) By aligning to campus' existing password standards (which already meet security best practices) we are able to reduce the number of required passwords from two down to one. Reducing the number of passwords is not possible unless our password requirements are the same.

3) Password resets are expensive and time consuming for everyone. Michigan Medicine experiences more than 20,000 password-related issues each year, contributing to ~208 days of lost productivity, high support costs, and longer wait times at the Service Desk. 

HITS also conducted user experience research with employees across our enterprise to better understand the impact of making everyone's password longer. We saw that login fatigue is real because we all use our credentials many times a day for many applications. We also identified multiple ways we can reduce login frequency. Some enhancements will rollout with the password sync, like Duo Remember Me for 7 days (available now) and Microsoft Authenticator for mobile phones. Other enhancements, like expanding the use of badge tap and go and passthrough authentication, are in the works and will rollout at a later date.

Is MM Wi-Fi or VPN required to sync?

If you use a CoreImage PC or Core Mac, connection to Michigan Medicine Wi-Fi or VPN during password sync makes it easier to update your device password (i.e., the password used to unlock your computer). Full instructions on updating your device password following sync will be shared in sync confirmation notifications and available in the Michigan Medicine Help Center.

If you are external to Michigan Medicine and have a sponsored account, Michigan Medicine Wi Fi or VPN access is not required. Visit the User Profile Page to sync your passwords, and login with Duo (similar to any other password change).

Why is password length more important than complexity and special characters?

The National Institute of Standards and Technology (NIST) recommends emphasizing password length over password complexity because longer passwords are more difficult to hack AND simpler to remember than a series of meaningless characters. In essence, when a password-cracking algorithm has more characters to fill to guess the correct password, it's exponentially less likely to get it right.

Is there a security downside to syncing my passwords?

No, we are not aware of any risks or issues at this time. HITS and campus ITS partnered with Information Assurance (IA) to align our infrastructure and password requirements, but not combine them. HITS continues to govern access to all Michigan Medicine resources. Michigan Medicine: Information Assurance is the project sponsor and worked closely with the project team to ensure all security requirements were met. The goal of this project is to make work at Michigan Medicine a bit more simple, so you have one less thing to remember, while also securing our data. 

Following the August 2023 cybersecurity incident at the University, our project team completed an evaluation of the technical design, policy, and process controls. Since the UMICH common password was designed on top of our existing infrastructure, there were no technical risks identified to address. Minor adjustments were made within the project to assure the process controls continue to meet Michigan Medicine and recognized standards. For example, centralizing the password management tools for Michigan Medicine within the User Profile Page, adjustments to incident response processes, and improving documentation and designated communication protocols.

I still have questions.

Contact the project team with additional questions at cp-technical-workgroup@umich.edu.

Why passwords requirements are changing

Our current password policy no longer meets recognized standards and needs to be updated. 

The last significant change to our password policy was over 20 years ago (!) Current industry research and best practices demonstrate that short, complex passwords are too easy to hack while also being hard for humans to remember and type. Frequent password changes also encourage users to make unsafe decisions, like leaving their new password written out on their desk.
 
The goal of moving to one, 15-character passphrase is simplicity and security: one phrase that is easy to type and remember, but harder to hack. Equally important is choosing a unique passphrase that you don't use anywhere else.
 
Additionally, as the University and Michigan Medicine password requirements are aligned, we're working together to more quickly identify and disconnect compromised accounts.  
 

Michigan Medicine experiences lost time and increased frustration due to password-related issues.

Our HITS Service Desk responds to more than 20,000 password-related issues each year. That contributes to 200+ days of collective lost productivity, increased user frustration, higher support costs, and longer wait times to get IT help when you call with another issue. We expect to see password-related issues decrease so we can deploy these essential resources to serve you better.

Combatting Login Fatigue

During this project, HITS interviewed, shadowed, and talked with employees across Michigan Medicine to better understand the impact of making everyone's password longer. We heard that:

  •  Across the board, employees were enthusiastic about the prospect of eliminating annual password resets and having only one password to remember
  •  BUT they also expressed frustration with login fatigue —  caused by entering our credentials many times a day for many applications.   

How can I reduce the number of times I enter my credentials today?

Sign in to shared computers with your MCard

Throughout the hospitals and in many ambulatory clinics, badge readers are deployed to allow for quick login with a badge tap (known as tap and go) instead of entering your uniqname and password. 

You must enroll your badge in the Imprivata application to login with your MCard. Enrollment instructions are available in the Help Center.

After enrolling, you will need to enter your password at the beginning of each shift to activate your account in Imprivata. Once authenticated, you can use tap-n-go to access Kiosk computers for ~4 hours before you are asked to enter your password again.  

  • Always tap the badge reader again to lock the workstation if you need to step away. All applications remain open when locked.
  • If you are done using that workstation for now, log out using the yellow X.

Today, badge readers are available on approximately 70 percent of Kiosk computers used across the hospital, ambulatory clinics, and some research areas. If badge readers are not in your area, please know expansion of this technology is planned. HITS is assessing our current fleet of badge readers across Michigan Medicine so we can make them more widely available.

Duo Remember Me

When using Duo, select ‘Remember this device’ if you’re on a single-user or personal device after confirming a prompt. This will bypass Duo prompts to that application for the next seven days. This feature was enabled for Michigan Medicine in October of 2023.

Authenticator for Microsoft 365 mobile applications

Checking email, accessing SharePoint, joining a Teams call, or editing a document from your phone or tablet? Download the Microsoft Authenticator app from the Apple or Android App Store to streamline logins across M365 mobile applications. Information and install instructions available in the Help Center.

Set a pin to access Rover

Reduce the number of times you enter your password by setting a six-digit pin in Rover at the beginning of each shift.

1. On your device, tap to open Rover and enter your username and Level-2 password.

2. Set a PIN. 

  • You may use a PIN to log into Rover instead of your username and password if the app times out throughout your shift.
  • Using a PIN is optional. You can tap Ask me later or Don't ask again if you want to set a PIN later. 
  • PIN is 6 digits or more

See more in the Rover User Guide in the Help Center.