At the present time no restrictions are in place concerning the complexity, expiry, or history of passwords. Your Shepherd network password must be at least six characters long. While no other restrictions are in place, IT Services recommends that people follow these standards when selecting passwords:
- Passwords should be at least eight characters; the longer it is, the more secure it is
- Passwords should include both lower-case and upper-case letters, as well as at least one numeric character
- Some systems, such as the student email system, allow you to use non-alphanumeric characters (e.g., a punctuation mark)
- Passwords should not include words found in any dictionary, including foreign dictionaries or specialized dictionaries (e.g., medical or scientific)
- Passwords should be changed at least every six months, and ideally every three months
- Passwords should be rotated no more frequently than once every five times. In other words, do not reuse a password if it is one of the previous four passwords. Ideally passwords should not be reused at all. In the event a previous password is compromised it will not result in any harm
- Do not write down your passwords if possible; if you must, do not store them in an easily guessed location
Information security is only as strong as its weakest link. In most cases that is the password chosen to protect the data. More sensitive information should be protected with stronger security methods. While these guidelines may make choosing a password difficult, there are several techniques to use that can generate secure yet memorable passwords. A common technique is to take a sentence, use the first or key letters of each word, and substitute appropriate characters if necessary. For example:
Password strength for fun, if you know how!
can turn into
(Please do not use this or other available password examples as your password.)
Should we begin requiring stronger passwords, or anticipate other changes to our password policies, we will notify the campus community with sufficient notice prior to the implementation of any changes. Changes to authentication requirements typically are motivated by annual audits of our financial information systems to determine that there are adequate controls in place, including the security of passwords used to access the systems. Other changes may come as a result of requirements to comply with particular industry standards for data protection, such as for credit cards or health information.