Password Protection

The purpose of password guidelines is to ensure a more consistent measure of security for the University’s network and the information it contains. The implementation of these guidelines will better safeguard the personal and confidential information of all individuals and organizations affiliated, associated, or employed by Bryant University. Additionally, these guidelines establish a standard for the creation of strong passwords and the protection of those passwords.

The guidelines apply to faculty and staff and to all personnel who have or are responsible for an account on any system or has access to Bryant University information resources. In the case of an information system managed by a third party, the third party’s security controls shall meet or exceed these guidelines. Information Services recommends "passphrases" instead of passwords. Passphrases are longer, but easier to remember than complex passwords, and if well-chosen can provide better protection.

• Minimum length 12-characters, maximum length 64-characters
• No complexity restrictions; no uppercase, lowercase, number, or special character requirement
• No periodic password change requirement
• You may choose to reset your password/passphrase anytime
• Reset password/passphrase cannot be equal to your current password/passphrase or previous four
• Cannot be a single 12-character word that appears in the English dictionary
• Must be composed only of characters, numbers, or symbols on the US keyboard
• Must not contain your first name, middle name, last name, or username
• Should not be inserted into email messages or other forms of electronic communication
• Should not be shared with anyone
• Should not be written down or stored electronically without encryption
• Do not use the same password/passphrase for Bryant accounts as for other non-Bryant accounts
• Should be treated as sensitive, confidential information
• Information Services shall require a password change to any suspected compromised account

Information Services implements a strict password/passphrase checking-system. Each time you change or reset your password, the checking-system screens all passwords against a large dictionary of common words, common passwords, passwords that have been leaked by various compromises, and other passwords that may easily be guessed. Passwords matching a dictionary entry will be rejected.

A passphrase is basically just a series of words that you employ instead of a single pass “word”. Passphrases must be at least 12-characters in length and may not include spaces. Keep passphrases simple, long and memorable. Include phrases comprised of typical English words, in uncommon combinations. Following are a few passphrase examples. (Note: These specific examples are excluded from use and will be rejected by the passphrase checking-system.)

• picturecatchingsky
• alphabetspoonaway
• startjumping4JOY
• keepsimple#undercontrol
• theslowfoxwontherace

All system-level (system administrator, service account) passwords (e.g., root, enable, admin, application, administration accounts, etc.) assume substantially higher-risk, and therefore must conform to more rigorous password restrictions under the control and direction of IS management. Individuals working in organizations where regulatory requirements apply (e.g., PCI, HIPAA, etc.), are required to follow any additional password controls imposed by regulations.