Password Policy

1.0 Purpose
Passwords can be classified as weak or strong based on how difficult they are to guess and/or compute. The Broad College password policy has been chosen as acceptable by the administrators to offer a level of protection beyond simple or weak but not to be so complex as to require being written down and causing additional risk.

2.0 Scope
All faculty, staff, and student accounts within the Broad College network.

3.0 Policy

Passwords for accounts on the Broad College network must adhere to the following rules:

• Expiration: Passwords expire every 365 days
• Length: Passwords must be at least 12 characters long
• Complexity: Passwords must contain characters from at least three of the following five categories:
  • English uppercase characters (A – Z)
  • English lowercase characters (a – z)
  • Base 10 digits (0 – 9)
  • Non-alphanumeric (For example: !, $, #, or %)
  • Unicode characters
• Name Restrictions: Passwords cannot contain the first name, last name, or username of account in question
• Password History: None of the previous 24 passwords can be used

An email reminder will be sent to accounts whose password will expire within 14 days.

3.1 Ownership and Responsibilities
Policy effective January 19, 2004, approved by College Advisory Committee and Department Chairs, December 2003. Individual account owners are responsible for specifying their passwords. It is recommended that phrasing such as “Security is good.” or “I walk my dog a lot!” be used to develop new passwords.

3.2 General Configuration Guidelines

3.3 Monitoring
The network operating system settings/restrictions make the monitoring of this policy mute.

4.0 Enforcement
This policy is enforced by the network operating system settings.

5.0 Definitions

Term	Definition