Complex passwords

SA2: Servers and applications that manage passwords must force the setting of a complex password. Further, they must enforce multi-factor authentication where technically possible. Complexity and reset frequency must meet the following requirements where technically feasible (consult the Security office if the following requirements are not technically feasible):

  1. Use HarvardKey for authentication


  1. Passwords of more than 20 characters in length


  1. Passwords 20 characters or fewer in length with the following requirements:
    1. No common names or dictionary words
    2. No sequences of more than 4 digits in a row
    3. Include at least one character from at least 3 of these categories:
      1. Uppercase letter
      2. Lowercase letter
      3. Digits
      4. Special character
    4. Password reset/expiration period as follows:
      1. 10-20 characters = no periodic reset/expiration required
      2. 8-9 characters plus a second authentication factor = no periodic reset/expiration required
      3. 8-9 characters only = annual password reset/expiration required



How to Comply

Enforce password complexity

Server operators should implement LDAP, AD, IAM as best practice where possible. Two factor authentication is required for any system handling L3/medium risk data and above.