End to the requirement to change passwords after a set period of time for the Einheitlicher Mitarbeiteraccount

The Presidential Board of the University of Göttingen and the Management Board of the University Medical Center Göttingen (UMG) have ended the requirement to change passwords for the Einheitlicher Mitarbeiteraccount (EMA, staff accounts to access services such as email) after one year (or after 90 days if access to SAP is available).

This means that in the future, no requests to change passwords will be sent by email and accounts will no longer be blocked after missing the deadline. Reminders that were sent before this decision was implemented on 19 January 2021 can be ignored.

This change is possible because the requirement to regularly update your password has been removed from national and international standards, including most recently by the Federal Office for Information Security (BSI) in 2020. The University therefore also no longer has to comply with such standards. In fact, the BSI now explicitly recommends avoiding such regular prompting to change your password.

Despite this change, which I’m sure most people will see as a relief, it is important to pay attention to password security.

Now is the right time to set a secure password for your EMA once again, which can then be kept for longer. For this reason, please check whether your current password is really appropriate.

All other rules for password use remain valid. You can find these in the University’s information security guideline in security measure A.10.

One rule should be particularly pointed out here, because removing the requirement to change passwords regularly could lead to incorrect handling and increasing risks: Under no circumstances may EMA passwords be used for other services (eg private email accounts or online shops). The differences between EMA passwords and other passwords (and, for logical reasons anyway, between passwords for different services) must be significant; in particular, there should be no systematic correlations that could be used to deduce one password from another.

It should also be noted that you will now definitely no longer receive any requests by email from the University, the UMG or the GWDG to change your password. This should make it easier for you to recognise phishing emails (ie scams which induce individuals to reveal personal information), which prompt you to change your password. The University, UMG and GWDG will also never ask you to log in via any links sent in emails for reasons such as: your quota has allegedly been exceeded; security functions have been improved; or systems have been changed. Such emails always come from cyber criminals who want to entice you to enter your details on a fake page and use them for criminal purposes.