Coming soon: One password. 15 characters. No more annual resets!
Michigan Medicine is moving from two user passwords. Say goodbye to using different UMICH (Level-1) and Michigan Medicine (Level-2) passwords every day. Following password sync or reset, your UMICH password will be used for all campus and Michigan Medicine logins.
Moving to a 15-character passphrase comes with many benefits:
- No more annual resets
- No required letter or number complexity
- Fewer Duo prompts with the addition of the ‘Remember Me’ feature
- Microsoft Authenticator app to reduce M365 login prompts on your phone
- Enhanced data security
- And of course, only needing one password for work
Password sync tools
To get to one password, each person will sync their UMICH (Level-1) and Michigan Medicine (Level-2) passwords.
Password syncing WILL NOT:
- Change the resources you have access to (i.e., give you new access to campus or Michigan Medicine resources)
- Inhibit or prevent Michigan Medicine from providing 24/7 patient care and operations. Ensuring the continuity of Michigan Medicine's operations is core tenant of this project, along with data security and simplifying our users' experience.
You can start brainstorming your ideal passphrase now -- pick a phrase that is easy to type and remember that you don't use anywhere else.
Password sync: how it works
When password syncing becomes available, you will use one of two options to complete your one-time password sync.
Estimated time to sync: 5 minutes.
My UMICH Level-1 password is already 15 characters.
Sweet! Doublecheck that you're on Michigan Medicine Wi-Fi or VPN. Visit the Michigan Medicine User Profile Page and click the sync option on the password settings tab. After receiving sync confirmation via email and text, you will update your device password, then use your UMICH password for all logins moving forward.
My UMICH Level-1 password is less than 15 characters
No problem. From Michigan Medicine Wi-Fi or VPN, visit the Michigan Medicine User Profile Page to change your UMICH password to meet current requirements. After receiving password change and sync confirmations via email and text, you will update your device password and use your UMICH password for all logins to Michigan Medicine and campus resources.
But, what if I don't initiate my password sync?
You will continue to use your separate Level-1 and Level-2 passwords until your current Level-2 password expires or requires a reset. At that point, you will reset to a 15-character passphrase and automatically sync.
FAQ
How do I reset my UMICH password? What are the current requirements?
Reset your UMICH (Level-1) password in the Michigan Medicine Profile tool, or alternatively at password.it.umich.edu.
UMICH Password requirements:
- Must be 15 characters or longer
- Will be dynamically assessed for strength using an algorithm that calculates a strength score
- Will be checked against a database of known breached passwords
- Must not include parts of your name or uniqname
For more details on passwords, visit https://documentation.its.umich.edu/node/240/
What if my UMICH password doesn’t work following the sync?
If a password sync is unsuccessful for any reason, your Michigan Medicine (Level-2) password will continue to work on Michigan Medicine login pages. If you have an issue or question with syncing, submit a Help Center ticket or chat with the service desk: help.med.umich.edu/it
What password will I use to login to my Michigan Medicine device following the sync? [CoreImage PC, CoreMac, etc.]
Sync instructions will direct users to be on Michigan Medicine Wi-Fi or VPN during the sync process. This will ensure that your device password is updated to your UMICH password at the same time. Following sync confirmation, lock or restart your computer to update the device password. Mac users should also update their keychains with their UMICH password.
Will email change?
Email will continue working in the same way. Michigan Medicine will maintain the @med.umich.edu email domain and Outlook will remain our email client. To access certain cloud computing services like Office.com, you may be asked to enter your @med email address to trigger the Michigan Medicine login page, where you'll enter your uniqname and UMICH password.
No changes will be made to your email address.
With this change, can anyone with a UMICH uniqname and password log in to Michigan Medicine resources?
No, access to specific applications, websites, and programs will remain the same. The only thing that’s changing is that your UMICH (level-1) and Michigan Medicine (Level-2) passwords will be the same. HITS will continue to govern and support access to all Michigan Medicine resources.
15 characters seems like a lot and I use my password many times per day.
Moving from six characters to 15 characters IS a significant change. It comes with many benefits, like needing only one password for work, less complexity to type and remember, and no annual resets. Here are some more background on why 15 characters is our new standard:
1) Our password policy was outdated and required immediate updating. In reviewing password policies from peer institutions, many required only a few less characters while also mandating complexity and required resets. By moving to 15 characters we can drop complexity and required resets, which have been repeatedly shown to make passwords easier to hack yet harder for individuals to remember. Length is a primary factor in characterizing password strength.
2) By aligning to campus' existing password standards (which already meet security best practices) we are able to reduce the number of required passwords from two down to one. Reducing the number of passwords is not possible unless our password requirements are the same.
3) Password resets are expensive and time consuming for everyone. Michigan Medicine experiences more than 20,000 password-related issues each year, contributing to ~208 days of lost productivity, high support costs, and longer wait times at the Service Desk.
HITS conducted user experience research with employees across our enterprise to better understand the impact of making everyone's password longer. We saw that login fatigue is real because we all use our credentials many times a day for many applications. We also identified multiple ways we can reduce login frequency. Some enhancements will rollout with the password sync, like Duo Remember Me for 7 days and Microsoft Authenticator for mobile phones. Other enhancements, like expanding the use of badge tap and go, are in the works and will rollout at a later date.
Why do I need to be on MM Wi-Fi or VPN during sync?
Connection to Michigan Medicine Wi-Fi or VPN during password sync makes it easier to update your device password (i.e., the password used to unlock your computer). Full instructions on updating your device password following sync will be shared in sync confirmation notifications and available in the Michigan Medicine Help Center.
Is there a downside to syncing my passwords?
Nope, we are not aware of any risks or issues at this time. HITS and campus ITS partnered closely to align our infrastructure and password requirements, but not combine them. HITS continues to govern access to all Michigan Medicine resources. Michigan Medicine: Information Assurance is the project sponsor and worked closely with the project team to ensure all security requirements were met. The goal of this project is to make work at Michigan Medicine a bit more simple, so you have one less thing to remember.
I still have questions.
Contact the project team with additional questions at cp-technical-workgroup@umich.edu.