Best Practice

Implement a policy for secure passwords that includes frequency of change and complexity rules.

Examples

Best practice employs a password setting process that rejects simple or guessable passwords, for example, passwords shorter than 8 characters, common names and words in various languages, sequences of numbers, or passwords that do not include at least one non-alphabetic character. Using an access control that consists of the use of a logname and part or all of a birth date, social security number, HUID, phone number, or any other public or otherwise discoverable information does not meet these criteria.

Best practice uses the Harvard PIN system or LDAP Server for University applications that access confidential information unless a specific exception is made by the University CIO.