Minimum PassPhrase Standard:
Information Security Standard 7.420
Supersedes Standard Dated:  New standard
Effective Date:  May 27, 2004
Review Date: July 18, 2008

Title of Standard:  Minimum Passphrase Standard

Purpose of Standard:  Passphrases are used to authenticate users for access to university computing systems and electronic information. A compromised PassPhrase can risk disclosure of more than just an individual's e-mail and personal files. It almost always risks disclosure of other sensitive information related to student affairs, personnel issues, and patient care. The purpose of this standard is to ensure that all users select strong passphrases that are difficult to guess, crack, or otherwise compromise.

Person(s) with Primary Responsibility:  Director of IT Security

Approved: 

Required Standards:
The following minimum requirements shall apply to all computing systems attached to the East Carolina University campus computing network.  

1. Passphrases shall be at least 8 characters in length and contain characters from 3 of the 4 character classes below:
- Numeral
- Upper case letter
- Lower case letter
- Special character (e.g., !, @, #, *, ?)

2. Passphrases shall be changed at a minimum of once every 90 days and must not use any of the account's previous 6 passwords

Computing systems or computer accounts that cannot meet all of the above standards must be approved by the Director of IT Security. 

References
System Administration, Network, and Security (SANS) Institute Passphrase Policy, www.sans.org/resources/policies/Password_Policy.pdf (pdf)
UNC-CH PassPhrase requirements, http://help.unc.edu/?id=1552