Password Guidelines
All passwords should meet or exceed the following guidelines
Strong passwords have the following characteristics:
- Contain at least 12 alphanumeric characters (15+ will prevent the use of less secure hashing algorithms).
- Contain both upper and lower case letters.
- Contain at least one number (for example, 0-9).
- Contain at least one special character (for example,!$%^&*()_+|~-=`{}[]:";'<>?,/).
- Unique when compared to previously used passwords (for example, users cannot reuse any of their last 3 passwords)
Poor, or weak, passwords have the following characteristics:
- Contain less than eight characters.
- Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
- Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters (Windows will not allow usernames as part of complex passwords).
- Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
- Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
- Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
- Are some version of “Welcome123” “Password123” “Changeme123”
You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.
(NOTE: Do not use either of these examples as passwords!)
Passphrases
A passphrase is similar to a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines to include upper and lowercase letters, numbers, special characters, and spaces (for example, TheTrafficOnThe101Was*&!$ThisMorning!).
Password Expiration
Password expiration is a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts. Organizations should consider having different policies for password expiration for different types of users, systems, operating systems, and applications, to reflect their varying security needs and usability requirements (for example, Faculty/Staff expire annually while student passwords do not expire except in the case of a suspected breach).
See attached for more details and some reminders regarding passwords.