Password Tips and Policy

Password Policy

Choosing a strong password is an important part of protecting your access to University information technology resources.

Northwestern Health Sceinces University has a formal Password Policy that requires you to create passwords using the following criteria:

Passwords chosen must:

  • Be a minimum of ten (x) characters in length
  • Be memorized; if a password is written down it must be secure
  • Contain at least one (1) character from three (3) of the following categories:
    • Uppercase letter (A-Z)
    • Lowercase letter (a-z)
    • Digit (0-9)
    • Special character (~`!@#$%^&*()+=_-{}[]\|:;”’?/<>,.)
  • Be private

Passwords Chosen must not:

  • Contain a common proper name, login ID, email address, initials, first, middle or last name

It is strongly recommended that:

  • Passwords are changed twice per year
  • Each password chosen is new and different

Password Tips

Poor, or weak, passwords have the following characteristics: Contain less than eight characters. Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.

  • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
  • Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
  • Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
  • Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret). Are some version of “Welcome123” “Password123” “Changeme123”

You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, “This May Be One Way To Remember” could become the password TmB1w2R! or another variation.

(NOTE: Do not use either of these examples as passwords!)

A passphrase is similar to a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters.

Tips for Creating and Remembering Strong Passwords

Be Personal: The easiest way to remember a complex password is to develop your own personal pattern from a combination of elements. Your pattern will determine which letters are uppercase, which are lowercase, and where your digits will be placed. Stick to your pattern each time you create your password.

Password Example 1:
  • Select a memorable line from a song, movie, or book.

i. With A Little Help From My Friends.

  • Choose the first letter of each word.

i. walhfmf

  • Capitalize every other letter.

i. WaLhFmF

  • Add a number after the first, and a symbol at the end.

i. W3aLhFmF#

Your new password is: W3aLhFmF#

Password Example 2:
  • Select two or more words that you can remember.

i. North Western

  • Reverse the words and capitalize two letters.

i. WesternNorth

  • Place a number and a symbol between the words.

i. Western5#North

Your new password is: Western5#North

Microsoft Password Requirements
Property Description
Password strength Passwords require 3 out of 4 of the following:

  • Lowercase characters
  • Uppercase characters
  • Numbers (0-9)
  • Symbols – Values allowed:
    • · A-Z
    • a-z
    • 0-9
    • ! @ # $ % ^ & * – _ + = [ ] { } | : ‘ , . ? / ` ~ “ < > ( ) ;
    • No UNICODE
  • Cannot contain the username alias (part before @ symbol))
Password history Last password cannot be used again
Password history duration None
Account lockout After 10 unsuccessful logon attempts (wrong password), the user will need to solve a CAPTCHA dialog as part of logon.After a further 10 unsuccessful logon attempts (wrong password) and correct solving of the CAPTCHA dialog, the user will be locked out for a time period. Further incorrect passwords will result in an exponential increase in the lockout time period.