Minimum Passphrase Standard

Approved: Chief Information Officer
Policy No.:
Supersedes Policy Dated:
Effective Date:
May 27, 2004
Review Date:
September 9, 2011
Person with Primary Responsibility:
Director of IT Security


Passphrases are used to authenticate users for access to university computing systems and electronic information. A compromised passphrase can risk disclosure of more than just an individual's email and personal files. It almost always risks disclosure of other sensitive information related to student affairs, personnel issues and patient care. The purpose of this standard is to ensure that all users select strong passphrases that are difficult to guess, crack or otherwise compromise.

Required Standards

The following minimum requirements shall apply to all computing systems attached to the East Carolina University campus computing network.

  1. Passphrases shall be at least 8 characters in length and contain characters from 3 of the 4 character classes below:
  • Numeral
  • Upper case letter
  • Lower case letter
  • Special character (e.g., !, @, #, *, ?)
  1. Passphrases shall be changed at a minimum of once every 90 days and must not use any of the account's previous 6 passwords
  1. Computing systems or computer accounts that cannot meet all of the above standards must be approved by the Director of IT Security.


System Administration, Network, and Security (SANS) Institute Passphrase Policy, (pdf)
Tips on creating a secure passphrase, resets and more,