I. Passwords used to access to Confidential Information and to systems containing Confidential Information must meet the following criteria:

• Passwords (other than their own) must be unknown to system administrators and not recoverable by system administrators. 
• Passwords must not be recorded or logged by system administrators, by system or application support staff, or by any software other than the access control software (e.g., the PIN Server).  Any passwords saved by access control software must only be kept in an irreversible encrypted form (for example a cryptographic hash).
• This means that the user cannot be sent or told their password if they forget it.   The user's password must be reset in order for the user to access the system.  A user can be sent a single-use password if it is sent by a secure method.

II. The password setting process must reject simple or guessable passwords, for example, passwords shorter than 8 characters, common names and words in various languages, sequences of numbers, or passwords that do not include at least one non-alphabetic character. Using an access control that consists of the use of a logname and part or all of a birth date, social security number, HUID, phone number, or any other public or otherwise discoverable information does not meet these criteria.  Use of the Harvard PIN Server for user authentication satisfies these criteria. 

III. Any Harvard systems that use such public or discoverable information for access control must be updated to use the PIN Server unless a specific exception to these rules is made by the Harvard CIO.

IV. The above rules are the minimum requirements for passwords used to control access to confidential information at Harvard. Other requirements such as requiring periodic changes to passwords may be imposed by Harvard Risk Management and Audit Services under specific circumstances, by governmental regulations such as HIPAA or by external groups such as the credit card industry.