One of the potentially weakest links in computer security is the individual password. Despite the University's efforts to keep hackers out of your personal files and away from Mount Allison only resources (e.g., e-mail, web files, licensed software), easily-guessed passwords are still a big problem.
Passwords must have a minimum length of 14 characters. Passwords over 19 characters are the gold standard and offer the most protection.
Password Requirement Guidelines
- Include characters other than lowercase letters in a password, such as uppercase letters, digits, and punctuation to improve the security of a password.
- Do not use a word modified slightly with a single number added at the end or with well-known substitutions such as a zero used in place of the letter 'O'. These are easily predictable patterns.
- Do not use the same password for University systems as is used for personal accounts or other organizations.
- Do not use words that appear in a dictionary.
- Do not include your name, the names of family members or pets, or other easily obtainable personal information in a password.
- Do not use a word spelled backwards.
- Do not use a combination of characters that someone watching could easily recognize as the password is entered.
- When changing passwords, the new password should be different from the old one.
Mount Allison now recommends the use of "pass phrases" instead of passwords. Pass phrases are longer, but easier to remember than complex passwords, and if well-chosen can provide better protection against hackers.
A pass phrase is basically just a series of words, which can include spaces that you employ instead of a single pass “word.” Pass phrases should be at least 16 to 25 characters in length (spaces count as characters), but no less. Longer is better because, though pass phrases look simple, the increased length provides so many possible permutations that a standard password-cracking program will not be effective. It is always a good thing to disguise that simplicity by throwing in elements of weirdness, nonsense, or randomness. Here, for example, are a couple of pass phrase candidates:
- pepper tofu with mushrooms (26 characters)
- organic sweet essential oil (27 characters)
Punctuate and capitalize your phrase:
- Pepper tofu with mushrooms!
- organic&Sweet Essential oil
Toss in a few numbers or symbols from the top row of the keyboard, plus some deliberately misspelled words, and you'll create an almost unguessable key to your account:
- Pepper tofu with 5mushrooms!
- Organic&Sweet 3ssential oil
- Passwords must not be recorded on paper or online
- Passwords must not be recorded in a visible location in a workspace (e.g. a sticky note attached to a monitor or keyboard)
- Passwords must not be shared with anyone
- Passwords must not be sent by e-mail
Administrator passwords deserve additional attention. Administrator account access should only be granted to those requiring such access to perform their work. Administrator accounts should not be shared.