All Middlebury College students, faculty, and employees (including contractors and vendors with access to Middlebury College systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.  Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Middlebury College’s entire computer network.

This policy defines standards for creation of strong passwords and their protection.  The policy applies to all individuals who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any Middlebury College facility, has access to the Middlebury College network, or stores any non-public Middlebury College information.

Standards for Creating Strong Passwords

All user-level and system-level passwords must conform to the Middlebury’s Guidelines for Construction of Strong Passwords, described below.

Guidelines for Construction of Strong Passwords

Passwords are used for various purposes at Middlebury College. Some of the more common uses include: user level accounts, web accounts, email accounts, as well as Oracle, Blackbaud, and Banner logins. Since it is very easy to guess or crack certain types of passwords, everyone should be aware of how to select strong passwords.

Users must construct strong passwords with all these characteristics:

  • contain both upper and lower case characters and digits(e.g., a-z, A-Z, 0-9)
  • contain punctuation characters  (listing updated 15-May-2008)
    • the following are acceptable: ~ ^ * _ ? \ . / ! + - { } [ ]
    • the following are not acceptable: @ $ & ” : ( ) , < > ` ; = | # %  (or blank spaces)
  • are at least 10 alphanumeric characters long
  • are not a word in any language, slang, dialect, jargon, etc.
  • are not names of famous people or fictional characters
  • are not based on personal information, names of family, etc.

Users must avoid poor, weak passwords with any these characteristics:

  • a word found in a dictionary (English or foreign)
  • a common usage word
  • any representation of the user’s birthday
  • the name of family, pets, friends, co-workers, fictional characters, etc.
  • the words “Middlebury College”, “middlebury”, or any derivation
  • an alphabetic or numerical pattern such as aaabbb, qwerty, zyxwvuts, 123321, etc.
  • any of the above spelled backwards
  • any of the above preceded or followed by a digit (e.g., secret1, 1secret)
  • other personal information such as addresses, social security and phone numbers

A suggested way to create a password is to devise a mnemonic on a song or book title, affirmation, or other phrase. For example, passwords based on the phrase “This May Be One Way To Remember” could be “TmB1w2R!” or “Tmb1W>r~” or some other variation. NOTE: Do not use either of these examples as passwords!

Standards for Password Protection

All passwords are to be treated as private Middlebury College information.

Passwords MUST remain private. Users should NOT:

  • reveal a password in an email message, instant messaging software, or other forms of electronic communication
  • reveal a password over the phone to anyone
  • reveal a password on questionnaires or security forms
  • reveal a password to anyone, including other employees or students, supervisors, administrative assistants, student workers, friends, or family members
  • reveal or talk about a password in front of others
  • hint at the format of a password (e.g., “my family name”)
  • write down passwords and store them anywhere in your office or room
  • store passwords in a file on any computer system (including mobile devices) without encryption
  • use the same password for Middlebury College accounts as for non-Middlebury College access (e.g., personal internet account, option trading, electronic banking, benefits, etc.)
  • use the “Remember Password” feature of web browsers 

No Middlebury College student or employee should ever request another community member’s password.  If someone demands a password for a Middlebury computer or account, refer them to this policy, or have them contact the ITS Help Desk at helpdesk@middlebury.edu.

If an account or password is suspected to have been compromised, report the incident by sending an email to helpdesk@middlebury.edu and then change ALL passwords. Visit http://go.middlebury.edu/passwordhelp for information about changing or resetting passwords.

Information Technology Services
Davis Family Library 202
Middlebury, VT 05753