At the present time no restrictions are in place concerning the
complexity, expiry, or history of passwords. Your Shepherd network password must be at least
six characters long. While no other restrictions are in place, IT Services recommends that
people follow these standards when selecting passwords:
• Passwords should be at least eight characters long; the longer a password is, the more secure
• Passwords should include both lower-case and upper-case letters, as well as at least one numeric
character and one non-alphanumeric character (e.g., a punctuation mark).
• Passwords should not include words found in any dictionary, including foreign dictionaries or
specialized dictionaries (e.g., medical or scientific).
• Passwords should be changed at least every six months, and ideally every three months.
• Passwords should be rotated no more frequently than once every five times. In other words, do
not reuse a password if it is one of the previous four passwords. Ideally passwords should not be
reused at all. In the event a previous password is compromised it will not result in any harm.
• Do not write down your passwords if possible; if you must, do not store them in an easily guessed
Information security is only as strong as its weakest link. In most cases
that is the password chosen to protect the data. More sensitive information should be protected with
stronger security methods.
While these guidelines may make choosing a password difficult, there are several techniques to use
that can generate secure yet memorable passwords. A common technique is to take a sentence, use the
first or key letters of each word, and substitute appropriate characters if necessary. For example:
Password strength for fun, if you know how!
can turn into
(Please do not use this or other available password examples as your password.)
Should we begin requiring stronger passwords, or anticipate other changes to our password
policies, we will notify the campus community with sufficient notice prior to the implementation
of any changes. Changes to authentication requirements typically are motivated by annual audits of
our financial information systems to determine that there are adequate controls in place, including
the security of passwords used to access the systems. Other changes may come as a result of
requirements to comply with particular industry standards for data protection, such as for credit
cards or health information.