UMICH Common Password

UMICH: The one password to access every U-M and Michigan Medicine resource.

Coming in April! One password. 15 characters. No more annual resets! 

Ready to say goodbye to using different UMICH (Level-1) and Michigan Medicine (Level-2) passwords every day? Coming soon, your UMICH password will be used for all campus and Michigan Medicine logins.

Moving to one, 15-character passphrase comes with many benefits:

  • No more annual resets
  • No required letter or number complexity
  • Fewer Duo prompts when using the ‘Remember Me’ feature, available now
  • Microsoft Authenticator app to reduce M365 login prompts on your phone
  • Enhanced data security
  • And of course, only needing one password for work

Password sync tools

Each person will sync their UMICH (Level-1) and Michigan Medicine (Level-2) passwords in the Michigan Medicine User Profile Page. After syncing, your current UMICH (level-1) password becomes your common password and the only one you need for work.  You’ll have one password that easier to type and remember but harder to hack, with no annual reset.

Password syncing WILL NOT:

  • Change the resources you have access to (i.e., give you new access to campus or Michigan Medicine resources)
  • Inhibit or prevent Michigan Medicine from providing 24/7 patient care, research, and operations. Should there be a need, Michigan Medicine (Level-2) passwords can be quickly reinstated. 

You can start brainstorming your ideal passphrase now -- pick a phrase that is easy to type and remember that you don't use anywhere else. 

Password sync: how it works

Timeline for the Common Password Project. It includes 4 phases. Phase 1: HITS and IA sync on March 26. Phase 2: IT Stakeholder sync on April 3. Phase 3: self-sync tools available to all of Michigan Medicine on April 10. Phase 4: self syncing through 2024.

When password syncing becomes available, visit the Michigan Medicine User Profile Page to complete your one-time password sync. Estimated time to sync: 5 minutes or less.

Recommendation: sync before you leave for lunch, a break, or for the day. That will give your UMICH password ample time to update across all applications in our environment.

The sync process:

  1. Doublecheck that you're on Michigan Medicine Wi-Fi or VPN.
  2. Visit the Michigan Medicine User Profile Page and click the sync passwords now button.
  3. After receiving sync confirmation messages via email and text, update your CoreImage or CoreMac device password, and use your UMICH password for all logins moving forward. 

But, what if I don't initiate my password sync? 

You will continue to use your separate Level-1 and Level-2 passwords until your current Level-2 password expires or requires a reset. At that point, you will automatically sync.

Why passwords requirements are changing

Our current password policy no longer meets recognized standards and needs to be updated. 

The last significant change to our password policy was over 20 years ago (!) Current industry research and best practices demonstrate that short, complex passwords are too easy to hack while also being hard for humans to remember and type. Frequent password changes also encourage users to make unsafe decisions, like leaving their new password written out on their desk.
 
The goal of moving to one, 15-character passphrase is simplicity and security: one phrase that is easy to type and remember, but harder to hack. Equally important is choosing a unique passphrase that you don't use anywhere else.
 
Additionally, as the University and Michigan Medicine password requirements are aligned, we're working together to more quickly identify and disconnect compromised accounts.  
 

Michigan Medicine experiences lost time and increased frustration due to password-related issues.

Our HITS Service Desk responds to more than 20,000 password-related issues each year. That contributes to 200+ days of collective lost productivity, increased user frustration, higher support costs, and longer wait times to get IT help when you call with another issue. We expect to see password-related issues decrease so we can deploy these essential resources to serve you better.

FAQ

What if my UMICH password doesn’t work following the sync?

If a password sync is unsuccessful for any reason, your Michigan Medicine (Level-2) password will continue to work on Michigan Medicine login pages. If you have an issue or question with syncing, submit a Help Center ticket or chat with the service desk: help.med.umich.edu/it

What password will I use to login to my Michigan Medicine device following the sync? [CoreImage PC, CoreMac, etc.]

Sync instructions will direct users to be on Michigan Medicine Wi-Fi or VPN during the sync process. This will ensure that your device password is updated to your UMICH password at the same time. Following sync confirmation, lock or restart your computer to update the device password. Mac users should also update their keychains with their UMICH password.

What should I expect after I synchronize to one UMICH common password?

Use your uniqname and UMICH password to login to U-M and Michigan Medicine IT systems and applications. Login pages will look and feel the same as they are today. Continue to use your uniqname@med.umich.edu email address when logging into Microsoft 365 or office.com. Use the User Profile Page to manage your password and user information.

Will email change?

Email will stay the same - Michigan Medicine will maintain the @med.umich.edu email domain and Outlook will remain our email client. To access certain cloud computing services like Office.com, you may be asked to enter your @med email address to trigger the Michigan Medicine login page, where you'll enter your uniqname and UMICH password.

No changes will be made to your email address.

With this change, can anyone with a UMICH uniqname and password log in to Michigan Medicine resources?

No, access to specific applications, websites, and programs will remain the same. The only thing that’s changing is that your UMICH (level-1) and Michigan Medicine (Level-2) passwords will be the same. HITS will continue to govern and support access to Michigan Medicine's resources.

Does this password change impact the way I login to specific applications?

No. The UMICH common password is built on top of our existing infrastructure. It does not change or alter our current Michigan Medicine identity structure or technology. While each individual will now use one set of credentials (a uniqname and UMICH password) for daily work, under the hood are still two accounts and two passwords. The common password simply synchronizes your UMICH (Level-1) and Michigan Medicine (Level-2) passwords to offers great simplicity, no annual resets, strengthened data security, and support ongoing efforts to reduce login frequency.

15 characters seems like a lot and I use my password many times per day.

Moving from six characters to 15 characters IS a significant change. It comes with many benefits, like needing only one password for work, less complexity to type and remember, and no annual resets. Here are some more background on why 15 characters is our new standard:

1) Our password policy was outdated and required immediate updating. In reviewing password policies from peer institutions, many required only a few less characters (usually 10-12 characters) while also mandating complexity and required resets. By moving to 15 characters we can drop complexity and required resets, which have been repeatedly shown to make passwords easier to hack yet harder for individuals to remember. Length is a primary factor in characterizing password strength.   

2) By aligning to campus' existing password standards (which already meet security best practices) we are able to reduce the number of required passwords from two down to one. Reducing the number of passwords is not possible unless our password requirements are the same.

3) Password resets are expensive and time consuming for everyone. Michigan Medicine experiences more than 20,000 password-related issues each year, contributing to ~208 days of lost productivity, high support costs, and longer wait times at the Service Desk. 

HITS conducted user experience research with employees across our enterprise to better understand the impact of making everyone's password longer. We saw that login fatigue is real because we all use our credentials many times a day for many applications. We also identified multiple ways we can reduce login frequency. Some enhancements will rollout with the password sync, like Duo Remember Me for 7 days (available now) and Microsoft Authenticator for mobile phones. Other enhancements, like expanding the use of badge tap and go, are in the works and will rollout at a later date.

Why do I need to be on MM Wi-Fi or VPN during sync?

Connection to Michigan Medicine Wi-Fi or VPN during password sync makes it easier to update your device password (i.e., the password used to unlock your computer). Full instructions on updating your device password following sync will be shared in sync confirmation notifications and available in the Michigan Medicine Help Center.

Is there a security downside to syncing my passwords?

No, we are not aware of any risks or issues at this time. HITS and campus ITS partnered with Information Assurance (IA) to align our infrastructure and password requirements, but not combine them. HITS continues to govern access to all Michigan Medicine resources. Michigan Medicine: Information Assurance is the project sponsor and worked closely with the project team to ensure all security requirements were met. The goal of this project is to make work at Michigan Medicine a bit more simple, so you have one less thing to remember, while also securing our data. 

Following the August 2023 cybersecurity incident at the University, our project team completed an evaluation of the technical design, policy, and process controls. Since the UMICH common password was designed on top of our existing infrastructure, there were no technical risks identified to address. Minor adjustments were made within the project to assure the process controls continue to meet Michigan Medicine and recognized standards. For example, centralizing the password management tools for Michigan Medicine within the User Profile Page, adjustments to incident response processes, and improving documentation and designated communication protocols.

I still have questions.

Contact the project team with additional questions at cp-technical-workgroup@umich.edu.