Complex Password Policy
(Adapted from http://www.oit.umass.edu/policies/password.html)
At UMass Amherst, an ADMINFIN Account enables staff to access workstations, files, printers and the campus wired network.
The Complex Password Policy establishes the strength requirements for ADMINFIN Account passwords and is intended to support the secure and productive use of information technology resources. All members of the University community with an active ADMINFIN Account are required to comply with the Complex Password Requirements outlined below.
Complex Password Requirements
Your ADMINFIN Account password:
- Must be between 6 and 16 characters
- Must contain characters from three of the following four categories:
- uppercase characters (A - Z)
- lowercase characters (a - z)
- digits (0 - 9)
- special characters (limited to the following):
! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
- Cannot contain three or more adjacent characters from your UserID
(e.g., if your UserID is jdoe then your password cannot be 4xP/doe/876)
- Cannot contain the reverse of your UserID (e.g., 4xP/eodj/876)
- Should not be solely composed of English or foreign words or proper names
Password Management
To protect your ADMINFIN Account information, it is critical that you:
Construct a strong password.
Password-guessing software has become increasingly sophisticated and many break passwords using ‘dictionary attacks’, trying endless combinations of characters. Follow the Complex Password Requirements listed above to ensure that your password can withstand these types of attacks.
Do not save your password.
Some applications offer to save your passwords. Always say ‘No’ when prompted to save a password online. Also, never write down your password. Instead, create a password reminder in case you forget it.
Do not share your password.
By making passwords available to others, you put your personal information at risk and make it vulnerable to misuse. Do not send your password via email even if the message asking for your password appears official. Note that the ADMINFIN Help Desk will never ask for your account information via email.
Change your password periodically.
To protect your password from ‘dictionary attacks’, change your password twice a year (once every semester). If you suspect that your password has been stolen or compromised, change it immediately. Change your ADMINFIN Account password
Do not recycle your password.
Do not use your ADMINFIN Account password for other services (e.g., your bank account or your non-UMass email address). If your password is hacked, all the accounts using this password are at risk.
Log out of ADMINFIN services.
Remember to log out of any ADMINFIN service (e.g., Budget Change System, Salary Forecasting System, computers in the ADMINFIN Domain) when you are finished using the service or when you step away from your computer.
