MINIMUM PASSWORD STANDARDS

Per the Longwood Password Management policy these standards set the minimum requirements for passwords on any University IT system.

1. Passwords must have a minimum length of 8 characters.
    

2. Passwords must meet at least 3 out of the 4 requirements for quality:
    
   • at least (1) lower case letter
   • at least (1) upper case letter
   • at least (1) number
   • at least (1) special character (?, *, %, etc.)
    
3. Passwords on sensitive IT systems must be changed, at a minimum, every 120 days.
    
4. Passwords must not be repeated and accordingly a record of previously used passwords will be maintained.
    
5. Passwords must be permitted to be changed at the user’s will.
    
6. Unique initial passwords must be provided through a secure and confidential manner.
    
7. Initial passwords must be required to be changed.
    
8. Consecutive unsuccessful logon attempts (e.g., incorrect passwords) must result in the user’s account being automatically locked.
    
   • Users must contact the Help Desk for account unlocking.
    
9. Users must choose passwords that are difficult to guess.
   Passwords must not:
    
   • Be all or part of your account id
   • Be all or part of your user name
   • Be all or part of the IT system’s name
   • Be blank
   • Be based on a single dictionary word
   • Contain more than (2) repetitive characters (e.g., Mmmmmmm1, Ab7777777, etc.)
   • Contain substituted numbers and symbols for letters (e.g., 3 for E, $ for S, 0 for O, etc.)
   • Be based on a simple keyboard combination (e.g., Qwerty)
   • Contain obvious substitutions of numbers and symbols for letters (e.g, $ for S)
    
10. Users must prevent passwords from being known or used by others.
     
    • Users must never provide their password to anyone.
    • Users must log off of applications when done using them.
    • Users must secure workstations when they are away from them. Devices will be subject to lockouts for inactivity.
    • Users must never use the “Remember Password” feature of any applications.
     
11. Users must only use the LancerNet ID and password for Longwood systems and services. Users should create a different username and password for external services such as personal e-mail, banks, music services, stores, personally owned computers or other systems.
     
12. Users must report suspected password compromises.
     
    • Users must contact the Help Desk if they believe someone has obtained their password.
    • Users must change their password if they suspect it has been compromised.