Password Requirements

Revision as of 14:23, 10 April 2020 by Phil (talk | contribs) (Created page with "In order to make it more difficult for people to guess others' passwords, we have some restrictions on the passwords our systems will accept. Those restrictions are described...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

In order to make it more difficult for people to guess others' passwords, we have some restrictions on the passwords our systems will accept. Those restrictions are described below.

Password Strength Requirements

When you change your password, our systems will enforce the following rules:

Principally, passwords must be at least ten characters long. There is no maximum length.

The characters in a password can be put into one of four groups: lowercase letters (a-z), uppercase letters (A-Z), digits (0-9), and special characters (everything else). For each extra type of character, the minimum password length is decreased by one character. In other words, a password with mixed upper- and lowercase letters need only be nine characters long, a password with mixed case and special characters need only be eight characters long, and so on.

Commonly-used passwords, like "password", "letmein", and "abcde1234", will be rejected by our systems.

Periodic Audits

We periodically run a password-checking tool on our passwords. If the tool is able to guess your password, we'll notify you--using your CS email address--that your password needs to be changed. If you don't change your password within the given timeframe, your account will be disabled and you'll have to follow our password reset procedure to reactivate it.

Login Failures

As an additional measure against people trying to guess passwords, if someone (including you) tries the wrong password with your account too often, they'll be locked out of the system for several minutes. As of April 2020, "too often" is four login failures in a row, and "several minutes" is twenty minutes.