Password composition best practices
Many institutions have reported incidents where information has been exposed to unauthorized individuals, tampered with and/or destroyed. Often these compromises have been the result of poorly crafted passwords that were easily uncovered by individuals using one of the hundreds of password cracking tools that are available across the Internet.
To ensure that information at Princeton University is adequately protected, whenever you create a password that will be used to access Princeton University systems, it must adhere to the following password composition rules:
- Passwords must be at least eight characters in length.
- Passwords must include at least one character from each of the following character groups:
- upper case alphabetic characters (A-Z),
- lower case alphabetic characters (a-z),
- numbers and symbols (0-9),
- symbols !"$%&'()*+,-./:;<=>?@[\]^_`{|}~
Notes:
- Passwords should not be a dictionary word or common name with numbers and symbols merely substituting for similar looking alphabetic characters (e.g., "P@ssw0rd").
- Passwords may not include blank spaces or control characters, such as return, tab, back-tab, etc.
- Mac OS X users who store data on OIT's UNIX clusters should avoid using an ampersand (&) in their passwords. Including an ampersand will prevent the systems from connecting successfully.
The above rules are enforced by PUaccess, our web-based password management facility, whenever an individual changes his or her central University passwords. University systems that do not use passwords maintained by PUaccess should be written to enforce the policy where the technology permits. Users accessing systems that cannot enforce our password policy should follow the above rules voluntarily. Further, we recommend that you follow the above rules whenever creating any password, on- or off-campus, to reduce the risk of any your passwords being compromised.
For tips on creating passwords that comply with our password policy but are easy to remember, click here.
