Password Requirements

Revision as of 14:31, 9 October 2023 by Steve410 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

In order to make it more difficult for people to guess others' passwords, we have some restrictions on the passwords our systems will accept. Those restrictions are described below.

Password Strength Requirements

When you change your password, our systems will enforce the following rules:

Principally, passwords must be at least ten characters long (with some exceptions; see below). There is no maximum length.

Passwords may be made up of any characters you can type.

Commonly-used and overly-simplistic passwords, like "password", "letmein", and "abcde1234", will be rejected by our systems.

Password Length Exceptions

The characters in a password can be put into one of four groups:

  • lowercase letters (a–z)
  • uppercase letters (A–Z)
  • digits (0–9)
  • special characters (everything else)

For each extra type of character in your password, the minimum password length required is decreased by one character.

In other words,

  • a password with mixed upper- and lowercase letters need only be nine characters long
  • a password with mixed case and special characters need only be eight characters long
  • ...and so on.

Just remember, though, the longer your password, the better!

Checking Password Strength

The pwscore program on our Linux clients will accept and reject passwords using the requirements given above. If it accepts the password, it will print out a quality score from 0 to 100.

  • Scores above 50 indicate that the program thinks it's a fairly strong password.
  • Scores between 10 and 50 are probably okay.
  • Scores below 10, while still acceptable, indicate that the password has room for improvement.

To use pwscore, simply run the program, then type a prospective password. A session might look something like this, with parts in bold being what you type in:

$ pwscore
password123
Password quality check failed:
 The password fails the dictionary check - it is based on a dictionary word

pwscore does not hide the password you're testing as you type it. Anyone who looks at your screen can see the password whose strength you're evaluating!

pwscore does not log your entry attempts on our systems.

Do Not Share Your CS Password!

Please don't share your CS account password with anyone. No one else ever needs to know your account password, not even CS IT Support. If you're requesting information about an account, you can just give the account name; that's enough for authorized people to look up information about the account. Sharing the password with other people is potentially a security risk.
Even if you think the person you're contacting is trustworthy, since they should never need your password, it's good practice to never send it (not even via email or text.) That makes it impossible to accidentally send it to the wrong person, among other things.

Periodic Audits

We periodically run a password-checking tool on our passwords. If the tool is able to guess your password, we'll notify you—using your CS email address—that your password needs to be changed. If you don't change your password within the timeframe we give, your account will be disabled and you'll have to follow our password reset procedure to reactivate it.

Login Failures

As an additional measure against people trying to guess passwords, if someone (including you) tries the wrong password with your account too often, they'll be locked out of the system for approximately 20 minutes.