A Sample Password Policy

Somewhere Public Library Password Policy

Purpose

All specific users of the Somewhere Public Library network are assigned user accounts administered by a central server. User accounts are composed of three elements: a user name, a password, and a configuration record on the server. A network user must submit his user name as a means of identifying his specific configuration record. The password is used to authenticate-to verify-that the user is who he claims to be.

This password policy is issued to specify the characteristics passwords must possess in order to maintain network security. Users are responsible for understanding and adhering to the following principles when creating or renewing passwords for their library account. Failure to observe these principles, or providing your password to other users, will be addressed according to library disciplinary policy.

Scope

This policy applies to all library staff, city personnel, contracted technical workers, and patrons assigned individual accounts.

Password Composition

Passwords that can be guessed by unauthorized personnel create the opportunity for breaches of security. To ensure maximum security, passwords must be hard to guess-not just by other human users but by extremely fast computers armed with multi-lingual dictionaries. You will create strong (hard-to-guess) passwords by following these instructions:

Must Nots:

  • Your password must not contain your user name, your real name (first, middle, or last), your e-mail name, or any derivative of these.

  • Your password must not be any single word in any language (password cracking software has access to language dictionaries for many, many languages).

  • Your password must not be any fact associated with you: a pet's name, your birthdate, phone number, social security number, driver's license number, car license number, et cetera. Likewise, your password should not be a fact associated with your spouse or children.

Musts:

  • Your password must be at least six characters long. Passwords 8-14 characters long provide optimal security.

  • Your password must be a combination of uppercase and lowercase letters, numerals, punctuation marks, and other special characters. To a computer, the uppercase letters are different than lowercase letters. Three examples are shown below:

TriqsL6L- this password has a mix of three of these categories, making it strong. But it also has a rhyming quality, making it easier to remember.

shorT#ducK- this password also has a mix of three of the categories mentioned. Notice there are two unrelated words joined together, but with mixed case and with a special character between them. Joining two words this way also helps you remember your password.

Tqbfjotld- this password has only two categories represented, but offers a seemingly random mix of letters. In this example, the memory aid is using an acronym of the well-known phrase, "The quick brown fox jumped over the lazy dog." Take a favorite quotation (probably not a famous one, though) and create an acronym by using a particular character from each word. Insert a special character for additional security.

 

Page last modified: March 2, 2011