IT Milk: entry

If you are a Penn State student, you would have to be blind and deaf in both ears to be oblivious to the significance of February 1st. Does this phrase sound familiar to you at all: “Time is running out… have you changed your password yet?”

Every human being in the Penn State system must change their password once a year from now on. The IT staff says so because President Spanier said so. And Spanier says so because the federal government is telling him so.

Penn State University failed to meet the qualifications for proper security for a program administered by the federal government. There’s a campaign called InCommon on which uses Shibboleth authentication to connect universities worldwide to faciliate research.

Two criteria for trustworthy attribute assertions by Credential Providers are: (1) that the identity management system fall under the purview of the organization’s executive or business management, and (2) the system for issuing end-user credentials (e.g. PKI certificates, userids/passwords, Kerberos principals, etc.) specifically have in place appropriate risk management measures (for example authentication and authorization standards, security practices, risk assessment, change management controls, audit trails, etc.).

Well, three more days until the big day, folks. What are the consequences if you don’t change your password by February 1st? Well, let’s just say that your career at the University is going to be shot until ITS decides to grant you some mercy to your poor soul. You’ll lose every service associated with your username and password: webmail, ANGEL, et cetera.

Penn State has done a great job with its marketing campaign. I’ve received at least 9 emails about the issue and most of my professors have mentioned it at least once as if the sky were about to fall. Today I even saw a blatantly red poster slapped onto the urinal in the library bathroom.