As the CISO at Chapman, I often hear this understandable response when we notify someone that their credentials appeared in an external data breach: “But Chapman wasn’t breached.”

That’s usually correct, and it can still present a real risk.

When breaches occur elsewhere on the internet, email addresses and passwords are frequently exposed. If a password used on another site was also used for a Chapman account, attackers don’t need to compromise Chapman systems. They simply attempt to sign in using valid credentials.

Attackers are not focused on where a password originated, only where it still works.

How Credential Reuse Leads to Account Compromise

Stolen credentials are routinely added to automated testing tools that attempt to log in across common services, including university email systems. This process doesn’t rely on exploiting vulnerabilities; it relies on successful authentication.

If a password is reused and still valid, the account may already be compromised.

The Role and Limits of MFA

Multi-Factor Authentication (MFA) remains one of our most effective controls and significantly reduces the likelihood of compromise. However, MFA is not immune to human factors.

If an attacker already has a valid password, an unexpected MFA prompt may appear. In a busy workday, it can be easy to assume the prompt is legitimate and approve it without investigation.

MFA protects systems; user awareness completes the protection.

Why Annual Password Resets Still Matter

It’s reasonable to ask why Chapman requires annual password changes, especially when MFA is in place.

The answer is simple: password resets limit the lifespan of exposed credentials.

External breaches are not always discovered immediately. Credentials can circulate quietly for months — or years — before they are actively abused. An annual reset ensures that even if a password was unknowingly exposed elsewhere, it will eventually become unusable.

In effect, password resets: 

  • Reduce the window of opportunity for attackers 
  • Invalidate credentials obtained from older breaches 
  • Provide a clean reset point when combined with MFA 

Annual resets are not about inconvenience; they are a proven way to reduce long-term risk.

Why This Matters for Faculty and Staff

Faculty and staff accounts often provide access beyond email, including learning platforms, research data, student records, financial systems, and administrative tools. A single compromised account can be used to send convincing messages, access sensitive information, or enable further attempts within the institution.

For this reason, credential security is treated as a shared responsibility across the university, supported by both technical controls and user practices.

Practical Steps That Make a Real Difference

In recognition of World Password Day on May 7, this is a good opportunity to review a few practices that meaningfully reduce risk: 

  • Use a unique password for your Chapman account.
    Reuse is the most common factor in credential compromise. 
  • Use a password manager.
    This enables strong, unique passwords without added effort. 
  • Pause before approving MFA prompts.
    If you did not initiate the sign-in, treat the prompt as a warning. 
  • Annual password resets should be regarded as an essential security measure rather than a mere procedural requirement. 
  • Report unusual activity promptly to abuse@chapman.edu or infosec@chapman.edu.
    Early notification allows us to contain issues quickly. 

In Closing

Most account compromises do not involve sophisticated attacks. They rely on credential reuse and a moment of inattention. Our technical controls, including MFA and annual password resets, work continuously, but they are most effective when paired with informed, engaged users.

World Password Day is a timely reminder that a few deliberate habits go a long way in protecting both individual accounts and the broader Chapman community.

Thank you for your partnership in keeping Chapman’s systems and data secure.


Stay safe, stay vigilant!
Keith Barros
Chief Information Security Officer (CISO)