SA2: Servers and applications that manage passwords must force the setting of a complex password. Further, they must enforce multi-factor authentication where technically possible. Complexity and reset frequency must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):
- Use HarvardKey for authentication
OR:
- Passwords of more than 20 characters in length
OR:
-
Passwords 20 characters or fewer in length with the following requirements:
- No common names or dictionary words
- No sequences of more than 4 digits in a row
-
Include at least one character from at least 3 of these categories:
- Uppercase letter
- Lowercase letter
- Digits
- Special character
-
Password reset/expiration period as follows:
- 10-20 characters = no periodic reset/expiration required
- 8-9 characters plus a second authentication factor = no periodic reset/expiration required
- 8-9 characters only = annual password reset/expiration required