Password Complexity Requirements
Definition 3.1.1: Minimum "Password" criteria are:
a. Password guidelines must be distributed to all users of the system.
b. All accounts must have passwords.
c. Passwords for accounts must not be shared, unless a Group account has been specifically authorized in writing as described in this guideline and Policy AD20. The registered user of an account must have unique access to the account because of the liability stated under Policy AD95. In those rare instances where password sharing is authorized, all individuals authorized access to the account are held jointly accountable.
d. Passwords must have at least annual expiration dates (if the operating system allows the setting of expiration dates) and it is strongly recommended that passwords be changed annually. In some instances a shorter period (less than 90 days) is appropriate.
e. Passwords must be resistant to a computer program that checks passwords against previously used passwords and passwords that are easily discovered or compromised by human or computational means.
f. Passwords must use a mix of alpha, numeric and special characters, and contain at least 9 characters if the operating system supports passwords of that length. If not, the password should be the maximum length supported by the operating system. If passwords are not supported natively by the operating system, this requirement may be fulfilled by vendor or developed software.
g. Passwords to Computer and Network Resources containing Computerized Institutional Data will not be issued over network media in clear text unless a secondary means of authentication is provided (e.g., smart cards or tokens with one-time values, or a phone device with a similar one-time value).