1. Background and Rationale
The Responsible Use of Data and Information Technology Resources policy states that Notre Dame computer users are responsible for their use of and access to data and technology on campus. The integrity and secrecy of an individual's password is a key element of that responsibility.
This standard describes the University's requirements for acceptable password selection and maintenance. Its purpose is to reduce overall risk to the institution by helping computer users reasonably avoid security and privacy risks that result from weak password choices and to encourage attention to password secrecy.
This standard applies to all NetID passwords used by systems that participate in Notre Dame enterprise authentication with the exception of Privileged or Service NetIDs. Password requirements for Service and Privileged IDs can be found in the Privileged Account Standard.
2. Password Composition
NetID passwords must meet the following requirements:
Password minimum length
A password must be no fewer than eight characters.
Password length, in combination with password complexity, makes a password difficult to guess and less vulnerable to brute force attacks. Though technology constraints may impose maximum length or other restrictions, use of "Pass Phrases" - memorable short sentences instead of single words – should be used where possible.
Password complexity
- Passwords must be a minimum of 8 characters.
- Passwords between 8 and 15 characters must use 3 of the following 4 character classes*:
- Uppercase letters: A-Z
- Lowercase letters: a-z o Numbers: 0-9
- Non-alphanumeric characters: for example $, !, #
- Passwords that are 16 or more characters only need to use 1 character class, but can use more if desired.
*Guest NetIDs only require 2 character classes.
Difficult to Guess or Break
- Passwords should not be composed of a single common word or be a predictable phrase, e.g. “GoIrish1” or “NotreDame2016” are poor choices for a password. Birthdays are also poor choices sine they are very easily guessed.
- Password must not resemble the NetID or the name of the account holder. Family names should also be avoided.
3. Non-Expiring Passwords
A Notre Dame computer user is not required to change their password unless their user account password has been compromised. If a user’s password is compromised or suspected to be, the OIT Help Desk will reset the user’s password and contact the user.
NetID users may change their password at any time at password.nd.edu.
4. Reuse of Passwords
A NetID password must never be used with systems or services that do not participate in Notre Dame enterprise authentication.
5. Reference Documents
- NetID Access to University Information Technology Resources (PDF)
- Immediate Computer Access Suspension Request
- Password Reset Procedures
- Responsible Use of Information Technology Resources
- Privileged Account Standard
6. Contacts
Policy Clarification
Information Security, OIT. Telephone (574) 631-3888, email to infosec@nd.edu
Account Creation
Help Desk, OIT. Telephone (574) 631-8111, email to servicedesk@nd.edu.
7. Exceptions
Exceptions to these standards require the approval of the University’s Director of Information Security.