PASSWORD MANAGEMENT STANDARDS

Passwords are an everyday fact of life.

Everyone has difficulty when creating a good password.  Then, just about the time you begin to remember it, it's time to change. It is important to have easy to remember but non-guessable passwords in the Longwood computer environment.

What is easy to remember?  Your name and address and phone number are easy to remember.  However, you should not use personal information for a password because others know and/or find out about your information.

Per the Longwood Password Management Policy this standard requires that you use the following criteria when creating your password:

-Minimum length = 15

-Maximum length on Windows clients                = 127
-Maximum length on MacIntosh OS X clients    = 128

-Must meet at least 3 out of the 4 requirements for quality:
         1) at least (1) lower case letter
         2) at least (1) upper case letter
         3) at least (1) number
         4) at least (1) special character (?, *, %, etc.)

-Passwords must not:
         a) be all or part of your account id
         b) be all or part of your account name
         c) be blank
         d) contain dictionary words
         e) contain more than (2) repetitive characters (Mmmmmmm1, Ab7777777, etc.)
         f) contain substituted numbers and symbols for letters (3 for E, $ for S, 0 for O, etc.)

-Password must be changed, at a minimum, every 120 days.  After the expiration date you will be forced to change your password before being allowed to log on.  (On some systems you will receive a notification at log on time that your password is about to expire starting 10 days prior and up to the expiration date.)  

-Passwords should not be repeated.

-Only use the LancerNet ID and password for Longwood systems and services.  Individuals should create a different username and password for external services such as personal e-mail, banks, music services, stores, personally owned computers or other systems.

-Do not use the "Remember Password" feature of applications  (e.g., Outlook, Netscape Messenger, Internet Explorer).

 Creating Strong Passwords/Passphrases

When creating a password or passphrase, consider the following hints to make it both secure and easily memorizable:

• Avoid common phrases, lyrics, or quotations; these can be easy for hackers to guess. However, you can create an acronym from the letters of the words in a phrase or quotation that is memorable to you (e.g., "To be or not to be?" could become 2BRnot2B?).
• While randomly selected words will make a stronger passphrase than words typically used together, using your random words in a grammatical English sentence will make the passphrase much easier to remember.
• Interleave two words or a word and a number sequence that is meaningful to you, for example, your favorite fruit and a memorable year (e.g., "kiwi" and "1987" could be interleaved as k1i9w8i7 , ki19wi87 , or ki1987wi ).
• Deliberately misspell words, or substitute phonetic replacements throughout (e.g., "Mississippi" could become Mrs.Ippi ).
• Use a mixture of uppercase and lowercase letters.

A passphrase uses multiple natural words or phrases to construct the secret to be used during authentication.  Examples are shown below:

• a password of  pM[]w5Mj  could be easier to remember and type as the following passphrase: packmyBoxwith5milkjugs
• a password of  myLigr8!  could be easier to remember and type as the following passphrase:  myLongwoodisgreat!   

Passphrases provide a good way to compose strong, lengthy passwords that are easier to remember, easier to type, and naturally complex.  Existing brute force and dictionary attack techniques do not take passphrases into consideration, so passphrases are currently harder to crack than traditional passwords.

NOTE: Do not use any of the above examples as actual passwords/passphrases!

Developing your unique personal pattern is not difficult.  Remember that it is important to change your password regularly.  There is an old saying: a password is like a toothbrush, get the best quality, change it often and never ever let anyone else use it.
   

Approved by the Chief Information Officer, May 01, 2003.

Revised by the Chief Information Officer, February 22, 2006.

Revised by the Chief Information Officer, September 15, 2006.

Revised by the Chief Information Officer, March 15, 2007.

Revised by the Chief Information Officer, December 4, 2007.