Strong Password Standard
1. Background and Rationale
As described by the current Responsible Use of Information Technology Resources Policy, each Notre Dame computer user is responsible for his or her use of technology on campus. The integrity and secrecy of an individual's password is a key element of that responsibility.
This Standard describes the University's requirements for acceptable password selection and maintenance. Its purpose is to reduce overall risk to the institution by helping computer users reasonably avoid security and privacy risks that result from weak password choices and to encourage attention to password secrecy.
This Standard applies to passwords used by systems that participate in Notre Dame enterprise authentication employed in conjunction with a NetID to connect to Notre Dame network-based services. One's NetID password must never be used with systems or services that do not participate in Notre Dame enterprise authentication.
2. Password Composition
Computer users at Notre Dame shall select passwords according to the following:
Password minimum length: A password must be no fewer than eight characters. Though technology constraints may impose maximum length or other restrictions, use of "Pass Phrases" (memorable short sentences instead of single words) shall be supported where possible and practical. The OIT will provide an electronic password management service that will supply timely and detailed information on applicable password limitations.
Composition: Passwords must be composed so that they:
- Include at least one character from at least three of the following classes: lowercase letters, uppercase letters, numerals, punctuation (for example, #, |, $, % and spaces)
- Are not found in common dictionaries, and are not well-known or predictable phrases (for example, "GoIrish" is a poor choice for a password)
- Do not resemble the NetID or the name of the account holder
Attempts to create or change a password to one that does not meet the above parameters will result in rejection of the change to the password.
3. Password Expiration
A Notre Dame computer user must change his or her password at least every 180 days. Attempts to log in using an expired password will not succeed. After changing a password, a computer user must wait at least one hour before changing his or her password again. Expired passwords will be accepted as valid only when changing one's password, and only by the system(s) designated and supported by OIT for this purpose. Advance warnings of upcoming password expiration will be sent to the designated account holder via campus email beginning 30 days prior to expiration, with repeated reminders thereafter until the expiration date. An account holder may change his or her password at any time -- it is not necessary to wait for expiration.
4. Reuse of previous passwords
Reuse of any of the account's eight previous passwords will not be permitted.
Address inquiries about this standard via email to firstname.lastname@example.org.