Strong Password Standard

1. Background and Rationale

As described by the current Responsible Use of Information Technology Resources Policy, each Notre Dame computer user is responsible for his or her use of technology on campus. The integrity and secrecy of an individual's password is a key element of that responsibility.

This Standard describes the University's requirements for acceptable password selection and maintenance. Its purpose is to reduce overall risk to the institution by helping computer users reasonably avoid security and privacy risks that result from weak password choices and to encourage attention to password secrecy.

This Standard applies to passwords used by systems that participate in Notre Dame enterprise authentication employed in conjunction with a NetID to connect to Notre Dame network-based services. One's NetID password must never be used with systems or services that do not participate in Notre Dame enterprise authentication.

2. Password Composition

Computer users at Notre Dame shall select passwords according to the following:

Password minimum length: A password must be no fewer than eight characters. Though technology constraints may impose maximum length or other restrictions, use of "Pass Phrases" (memorable short sentences instead of single words) shall be supported where possible and practical. The OIT will provide an electronic password management service that will supply timely and detailed information on applicable password limitations.

Composition: Passwords must be composed so that they:

  • Include at least one character from at least three of the following classes: lowercase letters, uppercase letters, numerals, punctuation (for example, #, |, $, %    and spaces)
  • Are not found in common dictionaries, and are not well-known or predictable phrases (for example, "GoIrish" is a poor choice for a password)
  • Do not resemble the NetID or the name of the account holder

Attempts to create or change a password to one that does not meet the above parameters will result in rejection of the change to the password.

3. Non-Expiring Passwords

A Notre Dame computer user is not required to change their password unless their user account password has been compromised. If a user’s password has been found to be compromised, the OIT Help Desk will reset the user’s password and contact the user.

NetID users may change their password at any time.

4. Reuse of Previous Passwords

Reuse of any of the account's eight previous passwords will not be permitted.

5. Contacts

Address inquiries about this standard via email to