The UW-Madison Information Technology Committee (ITC) and the Madison Technical Advisory Group (MTAG) recently approved a new control for enforcing changes to the NetID password. The control was put in place in response to actions taken during the recent wave of campus phishing scams, in which several campus users had their accounts compromised. DoIT froze their accounts, reset their passwords and asked them to set new passwords. Several customers went back to a recently-used password, which enabled the phishing compromise to continue.
The new control requires NetID customers who require a password reset through DoIT to reset the password to one that has NOT been used by them within the past 12 months. In addition, customers may not use any of their last three passwords if the password has not been reset in the past year. Other campus systems are also encouraged to implement controls to prevent the reuse of passwords.
Phishing scams are rampant, and since any individual breach poses problems for the campus as a whole, a MTAG working group has been formed to develop recommendations to address this problem from a campus perspective. For more information on avoiding phishing scams, see: http://www.cio.wisc.edu/security/scams.aspx