Why are we doing this?
Caltech had a security intrusion by a persistent, motivated intruder group. We detected the intrusion quickly and took steps to lock the intruders out and recover the systems that were accessed. Although we have no evidence that the intruders gained access to our password store, we cannot entirely rule out that possibility. The password store is encrypted, but modern computing resources can permit brute-force attacks against shorter passwords that were not feasible in the past. For this reason, we have raised the minimum required password length to 10 characters, and are asking our users to change their passwords. The current maximum password length is 20 characters, and we encourage you to think of your password as a phrase rather than a word. Longer passwords are generally much more difficult to crack than shorter ones.
Was my password exposed?
If we had evidence that your password was exposed, we would have immediately contacted you personally. This mass password reset initiative is a precaution.
Do I have to change my other passwords (Gmail, departmental accounts, Facebook, etc)?
If you were using the same password for your access.caltech account as you use on your other accounts, you should change that password wherever else it was used. Password reuse is currently a common way for an intruder to gain access to accounts on systems that may not otherwise have been exposed. Once an attacker knows a person's login information for one system, they may routinely try that same login information on other commonly-used systems as well. We recommend using unique passwords for all accounts, or at minimum for critical accounts such as your access.caltech account and any email accounts you may have, or any accounts associated with private data such as credit card or banking information. Password management tools that encrypt your list of login information to one single master passphrase can help you keep track of your various accounts and passwords. Contact the Help Desk if you would like more information about password management tools.