2. Why is this necessary?
Keeping the password safe is a key factor in the overall security of an individual's digital identity, and consequently the services and resources to which that identity has been granted access. Access management services, such as those provided by OUCS, are involved in bringing together the individual (client) and provider of services and/or resources (SP). In this arrangement OUCS acts as an arbiter between the two parties, and is involved in assuring a level of security to each. For example: the client expects OUCS to prevent other individuals from accessing resources using the client's identity; the SP expects OUCS to ensure that clients are properly authenticated in order to adequately control access to their services and resources.
This model means that OUCS must manage the access management infrastructure in such as way that it can meet the common requirements of both clients and SPs. Failure to offer the required levels of assurance would undermine the trust placed in OUCS by clients (who would then look elsewhere for their requirements), and would require SPs to provide their own access management systems (tending towards a fragmented approach to IT provision rather than a unified/federated approach - clients could expect to have a different username/password for each service, with local policies on complexity, expiry, etc).
At a University-wide level it seems desirable to maintain and use a central access management infrastructure which offers both simplicity to the client (single username, password, with a single registration procedure and uniform guarantee of identity security), and removes the burden of identity management from the many individual SPs. This requires us to define a policy for password management that assures clients and service providers alike that OUCS is taking adequate steps to maintain overall security of clients' digital identities.