Strong Password Standard

1. Background and Rationale

The Responsible Use of Data and Information Technology Resources policy states that Notre Dame computer users are responsible for their use of and access to data and technology on campus. The integrity and secrecy of an individual's password is a key element of that responsibility.

This standard describes the University's requirements for acceptable password selection and maintenance. Its purpose is to reduce overall risk to the institution by helping computer users reasonably avoid security and privacy risks that result from weak password choices and to encourage attention to password secrecy.

This standard applies to all NetID passwords used by systems that participate in Notre Dame enterprise authentication with the exception of Privileged or Service NetIDs. Password requirements for Service and Privileged IDs can be found in The Privileged Account Standard.

2. Password Composition

NetID passwords must meet the following requirements:

Password minimum length: A password must be no fewer than eight characters.

Password length, in combination with password complexity, makes a password difficult to guess and less vulnerable to brute force attacks. Though technology constraints may impose maximum length or other restrictions, use of "Pass Phrases" - memorable short sentences instead of single words – should be used where possible.

Password complexity: A password must include at least 1 character from 3* different character classes.

Password complexity is the combination of characters in different classes that comprise the password. Password must include character from 3 or the following classes:

 

  • Uppercase letters: A-Z
  • Lowercase letters: a-z
  • Numbers: 0-9
  • Non-alphanumeric characters: for example $, !, #

Difficult to Guess or Break

  • Passwords should not be composed of a single common word or be a predictable phrase, e.g. “GoIrish1” or “NotreDame2016” are poor choices for a password. Birthdays are also poor choices sine they are very easily guessed.
  • Password must not resemble the NetID or the name of the account holder. Family names should also be avoided.

*Guest NetIDs only require 2 character classes.

3. Non-Expiring Passwords

A Notre Dame computer user is not required to change their password unless their user account password has been compromised. If a user’s password is compromised or suspected to be, the OIT Help Desk will reset the user’s password and contact the user.

NetID users may change their password at any time at password.nd.edu.

4. Reuse of Passwords

A NetID password must never be used with systems or services that do not participate in Notre Dame enterprise authentication.

5. Reference Documents

 

6. Contacts

Policy Clarification

Information Security, OIT. Telephone (574) 631-3888, email to infosec@nd.edu

Account Creation

Help Desk, OIT. Telephone (574) 631-8111, email to oithelp@nd.edu.

 

7. Exceptions

Exceptions to these standards require the approval of the University’s Director of Information Security.