1. Background and Rationale
The Responsible Use of Data and Information Technology Resources policy states that Notre Dame computer users are responsible for their use of and access to data and technology on campus. The strength, integrity, and confidentiality of an individual's password is a key element of that responsibility.
This standard describes the University's requirements for acceptable password selection and use. Its purpose is to reduce overall risk to the institution and its users by encouraging good password selection and password best practices.
This standard applies to all NetID passwords used by systems that participate in Notre Dame enterprise authentication with the exception of Privileged or Service NetIDs. Password requirements for Service and Privileged IDs can be found in The Privileged Account Standard.
1Password is the best solution for creating and storing passwords securely. It is free to use and supports both University and personal use cases. See KB0024957 for more information.
2. Password Composition Requirements
Password complexity
- Passwords must be a minimum of 16 characters.
Has not been exposed in a data breach
- Passwords exposed in data beaches are not sufficiently private
Difficult to guess or break
- Passwords should not be composed of one or two common words or be a predictable phrase, e.g. “herecometheirish” or “fightingirish2019” are poor choices for passwords. Birthdays are also poor choices since they are very easily guessed.
- Password must not resemble the NetID or the name of the account holder. Family names should also be avoided.
- The use of unique passphrases to the individual is encouraged for their ease of remembering and difficulty to guess, e.g. “grandmascookiesarethebest”.
3. Non-Expiring Passwords
A Notre Dame computer user is not required to change their password unless their password has been compromised. If a user’s password is compromised or suspected to be, the OIT Help Desk will reset the user’s password and contact the user.
NetID users may change their password at any time at okta.nd.edu.
4. Reuse of Passwords
A NetID password must never be used with systems or services that do not participate in Notre Dame enterprise authentication.
5. Sharing of Passwords
Passwords should not be shared. You should not be requested to share or ask someone to share a password. If you must share your password, E.G. to facilitate emergency IT support, you must immediately change your password after the event. If you feel that you have been inappropriately asked to share your password, you should report the event to Notre Dame Information Security at infosec@nd.edu.
6. Multi-factor Authentication
University IT services and applications are required to use multi-factor authentication, I.E. two-step. Users may not bypass or effectively bypass multi-factor authentication. Additionally, user endpoints may not be “allow-listed” without an Information Security variance.
7. Reference Documents
- NetID Access to University Information Technology Resources
- Password Reset
- Responsible Use of Information Technology Resources
- Strong Password Standard
- The Privileged Account Standard
- Shared Credential Management with 1passwordd
8. Contacts
Policy Clarification
- Information Security, OIT. Telephone (574) 631-3888, email to infosec@nd.edu
Account Creation
- Help Desk, OIT. Telephone (574) 631-8111, email to oithelp@nd.edu.
9. Exceptions
Exceptions to these standards require the approval of the University’s Director of Information Security.