Password Policy
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
A complex password is more secure because it is more difficult for an attacker to discover, either through a simple guess, or with more involved "brute force" tactics. Nazareth University of Rochester enforces a password policy in order to protect our users, ensure security on our network, and to comply with industry and legal regulations, such as FERPA, PCI DSS, and HIPPA.
The password MUST
- Contain 8 characters or more
- Contain characters from any 3 of the following 4 character classes:
- Latin upper-case letters
ABCDEFGHIJKLMNOPQRSTUVWXYZ
- Latin lower-case letters
abcdefghijklmnopqrstuvwxyz
- Base 10 digits
0123456789
- Symbols, punctuation, whitespace, and other printable characters
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
- Be changed every 90 days, at a minimum
The password MUST NOT be
- A derivative of the username or your name
- A word found in a dictionary (English or foreign)
- A dictionary word spelled backwards
- A dictionary word (forward or backwards) preceded and/or followed by any other single character (e.g., secret1, 1secret, secret?, secret!)
- The same as any of your past 6 passwords
The password SHOULD
- Be at least 12 characters in length
- Contain characters from all 4 of the character classes above
- Contain characters from additional character classes, such as Greek characters, Cyrillic characters, or other unicode or control characters
- Be changed any time you suspect that your account has been compromised or tampered with.
The password SHOULD NOT
- Be easily guessed by someone who knows you or who can obtain basic information about you. For example, do not use:
- Your username or NazID number
- Names of family, pets, friends, co-workers, lovers, etc.
- Computer terms and names, commands, sites, companies, hardware, software.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Be the same as a password for another site or service, especially online banking.
- Be written down or stored online. If you do write your passwords down, keep the list in a safe place, such as a wallet or safe, not attached to a monitor or in an unlocked desk drawer.