Middlebury

Password Policy

All Middlebury College students, faculty, and employees (including contractors and vendors with access to Middlebury College systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.  Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Middlebury College's entire computer network.

This policy defines standards for creation of strong passwords, their protection, and required frequency of change.  The policy applies to all individuals who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any Middlebury College facility, has access to the Middlebury College network, or stores any non-public Middlebury College information.

Standards for Creating Strong Passwords

All user-level and system-level passwords must conform to the Middlebury's Guidelines for Construction of Strong Passwords, described below.

Guidelines for Construction of Strong Passwords

Passwords are used for various purposes at Middlebury College. Some of the more common uses include: user level accounts, web accounts, email accounts and Banner logins. Since it is very easy to guess or crack certain types of passwords, everyone should be aware of how to select strong passwords.

Users must construct strong passwords with all these characteristics:

a. contain both upper and lower case characters and digits(e.g., a-z, A-Z, 0-9)

b. contain punctuation characters  (listing updated 15-May-2008)

the following are acceptable:
~ ^ * _ ? \ . / ! + - { } [ ]

the following are not to be used for Middlebury's systems: 
@ $ & " : ( ) , < > ` ; = | # %  (and blank spaces)

c. are at least eight alphanumeric characters long

d. are not a word in any language, slang, dialect, jargon, etc.

e. are not names of famous people, characters in TV shows or movies

f. are not based on personal information, names of family, etc.

Users must avoid poor, weak passwords with any these characteristics:

a. less than eight characters long

b. a word found in a dictionary (English or foreign)

c. a common usage word

d. any representation of the user's birthday

e. the name of family, pets, friends, co-workers, fantasy characters, etc.

f. the words "Middlebury College", "middlebury", or any derivation

g. an alphabetic or numerical pattern such as aaabbb, qwerty, zyxwvuts, 123321, etc.

h. any of the above spelled backwards

i. any of the above preceded or followed by a digit (e.g., secret1, 1secret)

j. other personal information such as addresses, social security and phone numbers

A suggested way to create a password is to devise a mnemonic on a song or book title, affirmation, or other phrase. For example, passwords based on the phrase "This May Be One Way To Remember" could be "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use either of these examples as passwords!

Standards for Password Protection

All passwords are to be treated as sensitive, confidential Middlebury College information. Passwords must be changed on a regular basis (see Standards for Frequency of Changing Passwords).

Passwords MUST remain confidential.  Users must NEVER:

a. reveal a password in an email message, instant messaging software, or other forms of electronic communication

b. reveal a password over the phone to anyone

c. reveal a password on questionnaires or security forms

d. reveal a password to anyone, including other employees or students, supervisors, administrative assistants, student workers, friends, or family members

e. reveal or talk about a password in front of others

f. hint at the format of a password (e.g., "my family name")

g. write down passwords and store them anywhere in your office or room

h. store passwords in a file on any computer system (including Palm Pilots or similar devices) without encryption

i. use the same password for Middlebury College accounts as for non-Middlebury College access (e.g., personal internet account, option trading, electronic banking, benefits, etc.)

j. use the "Remember Password" feature of applications (e.g., Outlook, Internet Explorer, Netscape Messenger), whenever possible

No Middlebury College student or employee should ever request another member the community for a password.  If someone demands a password for a College computer or account, refer them to this policy, or have them contact the LIS Help Desk helpdesk@middlebury.edu.

If an account or password is suspected to have been compromised, report the incident by sending an email to helpdesk@middlebury.edu and then change ALL passwords.  Passwords may be changed by visiting http://go.middlebury.edu/password.

Standards for Frequency of Changing Passwords

Passwords for Middlebury College computer and network accounts must be changed at least every six months (for user access to the College network, e-mail, Banner, file servers, Segue and course management systems, special College web applications).

Users with administrative or system-level access (e.g. root, local or domain administrator and enable) must change passwords at least every three months.

When possible, College computer systems will be programmed to notify users in advance that passwords are due to expire and will prompt the users to select new passwords.