Per the Longwood Password Management policy these standards set the minimum requirements for passwords on any University IT system.
**Systems utilizing the LancerNet ID and Password must meet the LancerNet Password Standards.**
- Passwords must have a minimum length of 8 characters.
- Passwords must meet at least 3 out of the 4 requirements for quality:
- at least (1) lower case letter
- at least (1) upper case letter
- at least (1) number
- at least (1) special character (?, *, %, etc.)
- Passwords on sensitive IT systems must be changed, at a minimum, every 120 days.
- Passwords must not be repeated and accordingly a record of previously used passwords will be maintained.
- Passwords must be permitted to be changed at the user's will.
- Unique initial passwords must be provided through a secure and confidential manner.
- Initial passwords must be required to be changed.
- Consecutive unsuccessful logon attempts (e.g., incorrect passwords) must result in the user's account being automatically locked.
- Users must contact the Help Desk for account unlocking.
- Users must choose passwords that are difficult to guess. Passwords must not:
- be all or part of your account id
- be all or part of your user name
- be all or part of the IT system's name
- be blank
- be based on a single dictionary word
- contain more than (2) repetitive characters (e.g., Mmmmmmm1, Ab7777777, etc.)
- contain substituted numbers and symbols for letters (e.g., 3 for E, $ for S, 0 for O, etc.)
- be based on a simple keyboard combination (e.g., Qwerty)
- contain obvious substitutions of numbers and symbols for letters (e.g, $ for S)
- Users must prevent passwords from being known or used by others.
- Users must never provide their password to anyone.
- Users must log off of applications when done using them.
- Users must secure workstations when they are away from them. Devices will be subject to lockouts for inactivity.
- Users must never use the "Remember Password" feature of any applications.
- Users must only use the LancerNet ID and password for Longwood systems and services. Users should create a different username and password for external services such as personal e-mail, banks, music services, stores, personally owned computers or other systems.
- Users must report suspected password compromises.
- Users must contact the Help Desk if they believe someone has obtained their password.
- Users must change their password if they suspect it has been compromised.
Approved by the Chief Information Officer, December 2, 2008.