UMICH Common Password

If a password sync is unsuccessful for any reason, your Michigan Medicine (Level-2) password will continue to work on Michigan Medicine login pages. If you initiated the sync and received a confirmation email, be sure to follow the instructions to update your device password AND restart your computer. If you have an further issue or question, submit a Help Center ticket or chat with the service desk: help.med.umich.edu/it

Sync instructions will direct users to be on Michigan Medicine Wi-Fi or VPN during the sync process. This will ensure that your device password is updated to your UMICH password at the same time. Following sync confirmation:

• CoreImage PCs should lock your computer to update the device password, then log back in with your UMICH (Level-1) password. Visit the Help Center for step-by-step instructions.
• CoreMacs should click on the key icon in your top navigation bar and select sign out. Then sign back in with your UMICH (Level-1) password and follow the onscreen prompts to update the password saved in your keychain. Visit the Help Center for step-by-step instructions.
• CoreImage Kiosk workstations should open the Start menu following sync confirmation, and click the red X for workstation cleanup to log out of the computer. Then sign back in with your uniqname and UMICH (Level-1) password. Visit the Help Center for step-by-step instructions.

Follow the instructions in your sync confirmation email to update the password used to unlock your computer and restart. Use your uniqname and UMICH password to login to U-M and Michigan Medicine IT systems and applications. Login pages will look and feel the same as they are today, and will continue to mention "Level-2" passwords until all or most employees have moved to one password. Continue to use your uniqname@med.umich.edu email address when logging into Microsoft 365 or office.com. Use the User Profile Page to manage your password and user information.

As of April 3, onboarding notifications for new employees and students direct them to set one password only, their UMICH (Level-1) password. That password is their UMICH common password, and will provide them access to all resources their role assigns them. Once they start, they may ask you what a Level-2 password is but they don't need one and don't need to worry about it!

By December 2024, all of Michigan Medicine will use their UMICH (Level-1) password for most logins, and mentions of Level-2 passwords will be removed from websites across our enterprise.

Note: if a new employee or student is a U-M current student, alumni, or worked for U-M previously, they still need to set a new UMICH (level-1) password to activate their Michigan Medicine account. This new password will replace their existing UMICH password to provide access to all UMICH (Level-1) and Michigan Medicine (Level-2) resources their role grants them access to. Please note: we are working to streamline this process for newcomers with existing Level-1 passwords. We will share updates as soon as they are available.

You can choose to sync your passwords now OR wait until your current Michigan Medicine (Level-2) password expires in the next few months due to annual reset. We expect everyone at Michigan Medicine will be synced to their UMICH common password by December 2024.

No, access to specific applications, websites, and programs will remain the same. The only thing that’s changing is that your UMICH (level-1) and Michigan Medicine (Level-2) passwords will be the same. HITS will continue to govern and support access to Michigan Medicine's resources.

No. The UMICH common password is built on top of our existing infrastructure. It does not change or alter our current Michigan Medicine identity structure or technology. While each individual will now use one set of credentials (a uniqname and UMICH password) for daily work, under the hood are still two accounts and two passwords. The common password simply synchronizes your UMICH (Level-1) and Michigan Medicine (Level-2) passwords to offer great simplicity, no annual resets, strengthened data security, and support ongoing efforts to reduce login frequency.

No, system account passwords will not change or sync at this time. Many teams across Michigan Medicine use system accounts to complete their work. System accounts are used to maintain servers, applications, and other resources. They also include Outlook resource accounts used to send email from a specific address that is not tied to an individual, like HITS-Inform or MM-Employee Message. System accounts have their own passwords and permissions based on each team's needs.

Email will stay the same - Michigan Medicine will maintain the @med.umich.edu email domain and Outlook will remain our email client. To access certain cloud computing services like Office.com, you may be asked to enter your @med email address to trigger the Michigan Medicine login page, where you'll enter your uniqname and UMICH password.

Employees at Michigan Medicine's Academic Medical Center (AMC) and those who have sponsored accounts will sync their passwords. The regional health network is not impacted at this time. 

Moving from six characters to 15 characters IS a significant change. It comes with many benefits, like needing only one password for work, less complexity to type and remember, and no annual resets. Here are some more background on why 15 characters is our new standard:

1) Our password policy was outdated and required immediate updating. In reviewing password policies from peer institutions, many required only a few less characters (usually 10-12 characters) while also mandating complexity and required resets. By moving to 15 characters we can drop complexity and required resets, which have been repeatedly shown to make passwords easier to hack yet harder for individuals to remember. Length is a primary factor in characterizing password strength.   

2) By aligning to campus' existing password standards (which already meet security best practices) we are able to reduce the number of required passwords from two down to one. Reducing the number of passwords is not possible unless our password requirements are the same.

3) Password resets are expensive and time consuming for everyone. Michigan Medicine experiences more than 20,000 password-related issues each year, contributing to ~208 days of lost productivity, high support costs, and longer wait times at the Service Desk. 

HITS conducted user experience research with employees across our enterprise to better understand the impact of making everyone's password longer. We saw that login fatigue is real because we all use our credentials many times a day for many applications. We also identified multiple ways we can reduce login frequency. Some enhancements will rollout with the password sync, like Duo Remember Me for 7 days (available now) and Microsoft Authenticator for mobile phones. Other enhancements, like expanding the use of badge tap and go, are in the works and will rollout at a later date.

Connection to Michigan Medicine Wi-Fi or VPN during password sync makes it easier to update your device password (i.e., the password used to unlock your computer). Full instructions on updating your device password following sync will be shared in sync confirmation notifications and available in the Michigan Medicine Help Center.

If you are external to Michigan Medicine and have a sponsored account, Michigan Medicine Wi Fi or VPN access are not required. Visit the User Profile Page to sync your passwords, and login with Duo (similar to any other password change).

No, we are not aware of any risks or issues at this time. HITS and campus ITS partnered with Information Assurance (IA) to align our infrastructure and password requirements, but not combine them. HITS continues to govern access to all Michigan Medicine resources. Michigan Medicine: Information Assurance is the project sponsor and worked closely with the project team to ensure all security requirements were met. The goal of this project is to make work at Michigan Medicine a bit more simple, so you have one less thing to remember, while also securing our data. 

Following the August 2023 cybersecurity incident at the University, our project team completed an evaluation of the technical design, policy, and process controls. Since the UMICH common password was designed on top of our existing infrastructure, there were no technical risks identified to address. Minor adjustments were made within the project to assure the process controls continue to meet Michigan Medicine and recognized standards. For example, centralizing the password management tools for Michigan Medicine within the User Profile Page, adjustments to incident response processes, and improving documentation and designated communication protocols.

Contact the project team with additional questions at cp-technical-workgroup@umich.edu.

Throughout the hospitals and in many ambulatory clinics, badge readers are deployed to allow for quick login with a badge tap (known as tap and go) instead of entering your uniqname and password. 

You must enroll your badge in the Imprivata application to login with your MCard. Enrollment instructions are available in the Help Center.

After enrolling, you will need to enter your password at the beginning of each shift to activate your account in Imprivata. Once authenticated, you can use tap-n-go to access Kiosk computers for ~4 hours before you are asked to enter your password again.  

• Always tap the badge reader again to lock the workstation if you need to step away. All applications remain open when locked.
• If you are done using that workstation for now, log out using the yellow X.

Today, badge readers are available on approximately 70 percent of Kiosk computers used across the hospital, ambulatory clinics, and some research areas. If badge readers are not in your area, please know expansion of this technology is planned. HITS is assessing our current fleet of badge readers across Michigan Medicine so we can make them more widely available.

When using Duo, select ‘Remember this device’ if you’re on a single-user or personal device after confirming a prompt. This will bypass Duo prompts to that application for the next seven days. This feature was enabled for Michigan Medicine in October of 2023.

Checking email, accessing SharePoint, joining a Teams call, or editing a document from your phone or tablet? Download the Microsoft Authenticator app from the Apple or Android App Store to streamline logins across M365 mobile applications. Information and install instructions available in the Help Center.

Reduce the number of times you enter your password by setting a six-digit pin in Rover at the beginning of each shift.

1. On your device, tap to open Rover and enter your username and Level-2 password.

2. Set a PIN. 

• You may use a PIN to log into Rover instead of your username and password if the app times out throughout your shift.
• Using a PIN is optional. You can tap Ask me later or Don't ask again if you want to set a PIN later. 
• PIN is 6 digits or more

See more in the Rover User Guide in the Help Center.