Password policy and Guidance

Information Services, University of Stirling

User Passwords

Policy

  1. University usernames and passwords are unique and used to grant access to information and resources specific to individual needs.
  2. They are used to identify and log user activity on University systems and services.
  3. Passwords must be kept confidential, they should never be shared or disclosed to anyone. The University will never ask for your password.
  4. A password used for access to University resources must not also be used to access any other, third-party, resource.
  5. Users must inform Information Services if they know or suspect that their password has been compromised. 
  6. In the event of a password being compromised the user will be required to change the password to one they have not previously used.

Responsibilities

User, to:

  • set a strong password
  • keep their password secret
  • use their University password only for their University account
  • inform Information Services if they think that their password may have been compromised
  • change their password if required to do so by Information Services
  • if required to change password, not reuse any previously used password

Information Services, to:

  • educate users about information security relating to passwords
  • use all reasonable technical measures to prevent password compromises and detect them when they happen
  • notify users when their passwords are believed to have been compromised and require those passwords to be changed

Password rules

  1. User passwords must be a minimum of 12 characters in length.  There is no maximum length.
  2. Passwords must be constituted from a combination of upper case characters (A-Z), lower case characters (a-z), and numerals (0-9) with at least one of each type.
  3. Users must not incorporate into their password any easily guessed information about themselves (e.g. own names, date of birth) or their family (e.g. partner’s or children’s names, or dates of birth), breeds or names of pets, home address, make of car, etc.
  4. Passwords must not be based on commonly used words or phrases such as “password”, “letmein”, “opensesame”.  A list of commonly used passwords.
  5. There is no default time limit on the use of a password; a password will not need to be changed unless there is reason to believe that it has been compromised.

As per Policy, if a password change is required, the user must create a password that they have not used before. 

Guidance in setting a 12 character password

The following guidance is offered to assist users in setting a password which is:

  • Easy to remember so that it doesn’t have to be written down
  • Difficult to guess, see points 4 and 5 in section directly above
  • Resistant to automated brute-force password cracking programs

Don’t think of it as a “pass word”, think of it as a “pass phrase”.  Using any single word makes it easier to guess or crack

So, how do you come up with 12 or more apparently random characters that you can easily remember?

  • Identify one or more sentences which have a total of 12 or more words that you can easily remember, such as your favourite quote from a movie, favourite passage from a book or song.
  • Better still make up the sentences yourself so that here is no frame of reference for a would-be password cracker.
  • Then use the initial letters of the words you have chosen to create your password.
  • If the phrase has proper nouns in it, use the upper case letter to represent them, otherwise lower case.
  • If there are any number words in the phrase, use the numeral to represent them.

Example, quoted by Samuel L Jackson, in Quentin Tarantino’s film Pulp Fiction:
 
“And you will know I am the Lord when I lay my vengeance upon you.” (Ezekiel 25:17)
becomes the, pretty random, 15-character password:
AywkIatLwIlmvuy

To meet the requirement for at least one number, you could enhance this to AywkIatLwIlmvuy25

You will only be required to change your “password” if it is believed to have been compromised, so it is worth taking the time to make it a good one by starting with a phrase that includes proper nouns and number words.