This was published 7 years ago
The University of Canberra's curious 10-year refusal to make its computer network users change their passwords regularly
The University of Canberra has again refused to force all users of its computer systems to regularly change their passwords, ignoring recommendations the ACT Auditor-General has urged be taken on at the institution since 2006.
The ACT Auditor-General's latest audit of all territory government bodies has again called on the university to make the changes to protect its information technology systems against potentially "unauthorised" or "fraudulent" access.
While the university has made a number of other changes to improve the protection of its IT system in the past few years, in response to a series of previous audits, it has again refused to enforce regular password changes on users.
It follows a year marked by the number of cyber attacks - from the four overseas denial of service (DDoS) attacks on Census night through to the alleged Russian hacking and public release through Wikileaks of emails circulating through Hillary Clinton's accounts.
The federal Department of Communications has estimated the average cost of cyber attacks on Australian businesses to be about $276,000, while the United States has estimated such attacks cost its economy about US$100 billion a year.
A university spokeswoman argued, citing some US research, that forcing users to regularly change passwords could actually lead them to use weaker passwords, thus sacrificing security.
The debate between the two ACT public institutions over time-limited passwords is one playing out across the globe.
But cyber security expert Professor Greg Austin, and many others like him, advocate for "multi-factor authentication" as the best protection for such organisations.
That method involves users verifying their identity using, for instance, a code sent to their phones via text message and answering a specific question as well as having the correct passwords, something the university does not require of all users.
The audit found the university has ensured system administrators are forced to regularly change their passwords and restricted those administrators from installing changes to their desktop computers in the past year.
But those same changes have not been made for all users of the IT networks, the audit found.
"Furthermore, the university has not implemented a system for checking whether users other than administrators are changing their passwords every eight weeks as required by the university's policy for passwords," the audit reads.
"The risk of unauthorised (including fraudulent) access increases if users do not regularly change their passwords."
But a university spokeswoman said the institution was "confident on the security of its IT systems, which is regularly reviewed and updated".
"Advice from major companies such as Microsoft regarding password security practice is to actually eliminate mandatory periodic password resets for user accounts," she said.
"Current international research strongly indicates that although password expiration is useful in some cases, it has a negative effect in common users given that they don't opt for an independent, new password but rather choose to update their old one, making it easier to predict by cyber criminals."
Professor Austin, from the Australian Centre for Cyber Security at UNSW Canberra, said he found it a "very interesting issue" and that he understood some of Australia's universities that teach courses on cyber security may have lax internal protections in place.
"Universities are just like corporations or any other businesses and given many Australian corporations are behind on keeping up to date with cyber security developments, we'd be surprised if [universities] were any different," he said.
"But I think what the universities need to take account of is that they are the treasure trove of Australia's intellectual capital in science, technology and other areas - for example some of our universities do leading research with the United States Department of Defence.
"Some of our universities are at the cutting edge of IT, at UNSW, we have a quantum computing centre and there would be all sorts of governments and corporations keen to get their hands on the confidential information from some of that research."
But Professor Austin said there could also be cyber-security risks for universities when it came to information unrelated to research.
"There's other data that universities hold, like interview data and records on politicians and, indeed, other prominent former students," he said.
"I think this is a pretty hot issue the Auditor-General has been pursuing, because if you take it further than the question just of changing passwords regularly, banks now operate on multi-factor authentication, which is really what most corporations should be using.
"So the difference of opinion between UC and the Auditor-General is probably a reflection of the fact that not all universities are at the cutting edge of cyber security.
"I'd say this is a very important story - it's something that needs urgent attention from all universities."