Creating Strong Passwords

Passwords are like passports or a blank check; if lost or stolen they give hackers a world of opportunity by providing access to your personal, financial and work data. The campus Password Policy helps you be proactive in selecting a strong passwords and managing them, to protect your identity and University resources. Once you've read and understood the password policy, you should change your NetID password and other campus passwords that do not meet the standards.

Note: Many, but not all, campus passwords are used in conjunction with Oracle databases, for which there may be some exceptions to the password guidelines in this document. Those exceptions are noted in parentheses.

Strong Password Characteristics

  • Are at least eight alphanumeric characters long
  • Contain at least three of the following four categories:
    • upper case characters (e.g., A-Z)
    • lower case characters (e.g., a-z) (Note: Oracle does not distinguish between upper and lower case in passwords.)
    • Digits (e.g., 0-9)
    • Special characters ( e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./) (Note: Oracle allows only the special character underscore (_) in a password, unless the password is enclosed in quotes.)
  • Are kept private. Passwords should be memorized or, if written down, kept in a locked file cabinet or other secure location.
  • Do not contain a common proper name, login ID, email address, initials, first, middle or last name

Weak Password Characteristics

  • The password contains less than eight characters
  • The password is a word found in a dictionary (English or foreign) or a word in any language, slang, dialect, jargon, etc.
  • The password is the same as your user name or login name
  • The password is a common usage word such as names of family, pets, friends, computer terms, birthdays or other personal information, or number patterns like aaabbb, dddddd, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

A List of Don’ts

  • Don't reveal a password over the phone or in person to anyone. Not your boss. Not your family. Not your co-workers. If someone demands a password, refer them to this document.
  • Don't reveal a password in an email message
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms
  • Avoid writing passwords down, but if you must, store them in a secure place (e.g., a locked file cabinet)
  • Passwords should never be stored unencrypted on-line
  • Do not use the “Remember Password” feature of applications (e.g., Outlook, Thunderbird, Evolution) 
  • Don't use the default password, if one is provided. Change it immediately to a new, stronger password.
  • Don't reuse old passwords. NetID passwords cannot be reused within a 12-month period, and passwords cannot be changed to any of the previous three passwords.

Learn More