Minimum Passphrase Standard
| Approved: | Chief Information Officer |
| Policy No.: |
7.420 |
| Supersedes Policy Dated: |
None |
| Effective Date: |
May 27, 2004 |
| Review Date: |
September 9, 2011 |
| Person with Primary Responsibility: |
Director of IT Security |
Purpose
Passphrases are used to authenticate users for access to university computing systems and electronic information. A compromised passphrase can risk disclosure of more than just an individual's e-mail and personal files. It almost always risks disclosure of other sensitive information related to student affairs, personnel issues and patient care. The purpose of this standard is to ensure that all users select strong passphrases that are difficult to guess, crack or otherwise compromise.
Required Standards
The following minimum requirements shall apply to all computing systems attached to the East Carolina University campus computing network.
- Passphrases shall be at least 8 characters in length and contain characters from 3 of the 4 character classes below:
- Numeral
- Upper case letter
- Lower case letter
- Special character (e.g., !, @, #, *, ?)
- Passphrases shall be changed at a minimum of once every 90 days and must not use any of the account's previous 6 passwords
- Computing systems or computer accounts that cannot meet all of the above standards must be approved by the Director of IT Security.
References
System Administration, Network, and Security (SANS) Institute Passphrase Policy, www.sans.org/resources/policies/Password_Policy.pdf (pdf)
UNC-CH passphrase requirements, http://help.unc.edu/?id=1552
