Updates to Password Requirements

Overview

This article will go over changes that will impact how Cobleskill account holders create their passwords.

Password Changes

Short summary: Changes to passwords will be implemented August 25, 2025, with the following new changes:

Minimum password length – 15 characters

Password must contain – an uppercase letter, a lowercase letter, and either a number or a symbol

An additional change will also be implemented 6 months later on Feburary 25th, with the following change:

Password expiration – none

 

Long Summary:

Recognizing the burden of setting passwords and the value of adhering to globally recognized standards, Information Security will adjust password requirements for your SUNY Cobleskill account. Please see below the before and after changes:

Before:

Minimum password length – 8 characters

Password expiration – 6 months

Password must contain – uppercase, lowercase letters, numbers, and symbols

Now:

Minimum password length – 15 characters

Password expiration – none

Password must contain – an uppercase letter, a lowercase letter, and either a number or symbol.

These changes will be implemented in two phase, the password minimum character limit and complexity will be changed on August 25th, 2025. Changes to password expiration will occur on February 25th.

Who is This Impacting?

These changes will impact all Cobleskill email account holders (students, faculty, staff, alumni, volunteers, retirees, etc.)

Why are we Changing Password Complexity?

The updated standards aim to enhance our overall information security posture and reduce risk by ensuring our authentication practices align with current regulatory frameworks, including: 

  • NIST SP 800-171 & SP 800-63B: Federal standards for secure identity and access management 

  • SUNY 6900: Information security policies established by SUNY CISO to all campuses

  • Gramm-Leach-Bliley Act (GLBA): Safeguards financial and personal data 

  • FERPA: Protects student educational records from unauthorized access 

  • SUNY & NYS Cybersecurity Baselines: Mandate strong authentication as part of institutional controls 

  • Cybersecurity Insurance Requirements: Increasingly require enforceable password policies as a condition of coverage

  • Human Risk: Constant Password changes increase the usage or recycled password leading to weak and predictable passwords

FAQs and Takeaways
  1. Am I forced to change my password the day these changes are implemented? 
    • No, the changes are enforced the day your password expires, regardless of when the changes are implemented.
    • If your password expires that day after the changes are implemented you will be prompted to change your password the day after with the new password complexity requirements.
    • If your password expires 180 days after the changes have been implemented, you will be prompted to change your password 180 days later with the new password requirements.
  2. Why is this done in two phases? 
    • Our approach to rolling out this change in phases ensures passwords following the old requirements are phased out and all Cobleskill account holders are using the new password requirements. 
  3. What if I am below the 15 character limit?
    • Your password will not be forcibly reset if you are below the character limit, when your password expires as per the current 6-month rotation is when the 15 character limit is enforced.
  4. Can I reset my Password now?
    • If you would like to reset you password to meet the new complexity requirement you can do so by visiting the Microsoft SSPR link under the "Additional Information" section.
    • Additionally, you can wait to reset your password until it expires to set a password that meets the new complexity requirement
  5. Since my password no longer expires, does this mean I no longer have to reset my password?
    • Generally yes, but in the instance where your account or account password is compromised, suspicious activity is observed on your account, or additional changes are pushed down from regulatory frameworks we may ask to have you reset your password or force a password change.
  6. Every password I attempt to create states that it is too weak or does not accept it
    • Please review the section below for guidelines on creating passwords.
Password Creation Guidelines

Please keep in mind good password creation guidelines such as:

  • Avoiding using your name, username, Date of birth, or any other pieces of information that are considered public information, if someone can look up your name, DOB, username, or home address from a quick Google or social media search do not use it as a password.
  • Prioritize length over complexity – “this2istHepass6Wordtomy905acCount” is miles better than “!P@$$w0rD%”
    • Using lyrics to your favorite song is not a good passphrase
  • Use random passphrases, you get generate random passphrases by visiting the following sites:
  • Never reuse the same password consecutively or for other accounts
  • Use password managers where possible, this avoids having to memorize passwords and sets stronger passwords for you.
    • Have a password manager for work and for personal use, this reduces exposure of accounts should your password manager be compromised.
    • bitwarden, keepass, 1password are all good examples of well known and recommended password managers.
  • Please review the attached articles for more information on how to create a strong password.

  • Our password configuration settings also take into consideration Microsoft’s guidance, so you may experience issues setting a password as it may be on Microsoft’s password blacklist. For more in-depth information on how Microsoft evaluates passwords see the link below:

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad

     
Additional Information

If you have any questions or concerns, please do not hesitate to reach out to the service desk at 518-255-5800

Password reset link: https://passwordreset.microsoftonline.com/

Print Article