Users are asked to change their passwords every 120 days. Password
expiration was reimplemented starting on October 26th, 1999. Rather
than having 75,000 people all have to change their passwords on the
first day, all users who hadn't changed their passwords since June 28th
were given an arbitrary expiration date between October 26th and
November 24th.
Password expiration was repealled in October of 2001.
The following chart shows the daily progress as warnings went out and
people changed their passwords. The granularity of the plot is hourly.
The red line shows the number of password
changes that occured in the most recent 168 hours (week). 75,000
passwords being changed every 120 days with a 15 day warning period
works out to about 5,000 password changes in each 168 hour period.
Actually, since we concentrated the initial expiration period into a 30
day span, we had a hump in October 1999 and another one in March of
2000. By April of 2001 we had evened out at just about the 5,000
password changes per week.
NB: I believe the growth starting in October 2003 represents a bug in
the collection process that was corrected in April of 2006. That hunk
of the chart should be ignored.
After password expiration was repealled, the number of password changes
dropped down to near nothing. Actually at the end of October 2002 we
were getting about 1,400 password changes per week, but that includes
all the new account creations.
The following charts show the password age for NetIDs among those that have
had a successful authentication in the last 120 days.
Each point on the graph indicates the number of NetIDs of the particular
type that have a password that is no older than the given date. NetIDs
that have not been accessed in more than 120 days are not represented.
The red line shows the number of password
changes that occured in the most recent 168 hours (week). 75,000
passwords being changed every 120 days with a 15 day warning period
works out to about 5,000 password changes in each 168 hour period.
Actually, since we concentrated the initial expiration period into a 30
day span, we had a hump in October 1999 and another one in March of
2000. By April of 2001 we had evened out at just about the 5,000
password changes per week.
NB: I believe the growth starting in October 2003 represents a bug in
the collection process that was corrected in April of 2006. That hunk
of the chart should be ignored.
Each point on the graph indicates the number of NetIDs of the particular
type that have a password that is no older than the given date. NetIDs
that have not been accessed in more than 120 days are not represented.
