Minimum Password Standards

Per the Longwood Password Management policy these standards set the minimum requirements for passwords on any University IT system.  

**Systems utilizing the LancerNet ID and Password must meet the LancerNet Password Standards.**

  1. Passwords must have a minimum length of 8 characters.
  2. Passwords must meet at least 3 out of the 4 requirements for quality:
    1. at least (1) lower case letter
    2. at least (1) upper case letter
    3. at least (1) number
    4. at least (1) special character (?, *, %, etc.)
  3. Passwords on sensitive IT systems must be changed, at a minimum, every 120 days.
  4. Passwords must not be repeated and accordingly a record of previously used passwords will be maintained.
  5. Passwords must be permitted to be changed at the user's will.
  6. Unique initial passwords must be provided through a secure and confidential manner.
  7. Initial passwords must be required to be changed.
  8. Consecutive unsuccessful logon attempts (e.g., incorrect passwords) must result in the user's account being automatically locked.
    1. Users must contact the Help Desk for account unlocking.
  9. Users must choose passwords that are difficult to guess. Passwords must not:
    1. be all or part of your account id
    2. be all or part of your user name
    3. be all or part of the IT system's name
    4. be blank
    5. be based on a single dictionary word
    6. contain more than (2) repetitive characters (e.g., Mmmmmmm1, Ab7777777, etc.)
    7. contain substituted numbers and symbols for letters (e.g., 3 for E, $ for S, 0 for O, etc.)
    8. be based on a simple keyboard combination (e.g., Qwerty)
    9. contain obvious substitutions of numbers and symbols for letters (e.g, $ for S)
  10. Users must prevent passwords from being known or used by others.
    1. Users must never provide their password to anyone.
    2. Users must log off of applications when done using them.
    3. Users must secure workstations when they are away from them. Devices will be subject to lockouts for inactivity.
    4. Users must never use the "Remember Password" feature of any applications.
  11. Users must only use the LancerNet ID and password for Longwood systems and services.  Users should create a different username and password for external services such as personal e-mail, banks, music services, stores, personally owned computers or other systems.
  12. Users must report suspected password compromises.
    1. Users must contact the Help Desk if they believe someone has obtained their password.
    2. Users must change their password if they suspect it has been compromised.

Approved by the Chief Information Officer, December 2, 2008.