What principles do you think a user should follow when creating a password for his or her account?

Computing Services  ›  Indevelopment Security Office  ›  Governance  ›  Guidelines  ›  Password Management
Guidelines for Password Management


The purpose of this Guideline is to educate Carnegie Mellon College (“University”) students, faculty and also staff on the attributes of a Strong Password and also to administer referrals on how to securely keep and control passwords.

You watching: What principles do you think a user should follow when creating a password for his or her account?

Applies To

This Guideline uses to all students, faculty and staff that have a username and also password to at least one University mechanism or application, independent of whether you are an end user or a mechanism administrator for that system or application.


A Strong Password is characterized as a password that is reasonably tough to guess in a short duration of time either with humale guessing or the use of specialized software application.


The adhering to are general recommendations for creating a Strong Password:

A Strong Password should -Be at leastern 8 personalities in lengthContain both upper and also lowerinstance alphabetic personalities (e.g. A-Z, a-z)Have at least one numerical character (e.g. 0-9)Have at least one one-of-a-kind character (e.g. ~!
#$%^&*()_-+=)A Strong Password need to not -Spell a word or series of words that have the right to be uncovered in a typical dictionarySpell a word through a number included to the beginning and also the endBe based on any kind of individual indevelopment such as user id, family members name, pet, birthday, and so on.

The complying with are several references for maintaining a Strong Password:

Do not share your password through anyone for any reason

Passwords have to not be shared with anyone, consisting of any students, faculty or staff.  In instances wbelow someone requires accessibility to an additional individual’s defended sources, delegation of permission choices should be explored.  For instance, Microsoft Exchange calendar will certainly enable a user to delegate manage of his or her calendar to an additional user without sharing any kind of passwords.  This form of solution is urged.  Passwords have to not be shared also for the function of computer system repair.  An different to doing this is to develop a new account through an appropriate level of access for the repair perboy.

Consider utilizing a passphrase instead of a password

A passexpression is a password made up of a sequence of words through numeric and/or symbolic characters placed throughout.  A passphrase can be a lyric from a song or a favorite quote.  Passphrases generally have actually additional benefits such as being longer and also much easier to remember.  For example, the passphrase “My passw0rd is $uper str0ng!” is 28 characters lengthy and also consists of alphabetic, numeric and also distinct personalities.  It is likewise relatively basic to remember.  It is essential to note the placement of numeric and also symbolic characters in this instance as they prevent multiple words from being uncovered in a traditional dictionary.  The use of empty spaces likewise makes a password more challenging to guess.

Avoid reutilizing a password

When altering an account password, you need to prevent reutilizing a previous password.  If a user account was formerly endangered, either knowingly or unknowingly, remaking use of a password could enable that user account to, when again, end up being compromised.  Similarly, if a password was shared for some reason, reusing that password might enable someone unauthorized access to your account.

Avoid making use of the exact same password for multiple accounts 

While using the very same password for multiple accounts renders it easier to remember your passwords, it deserve to also have a chain impact enabling an attacker to obtain unauthorized access to multiple systems.  This is particularly crucial as soon as taking care of more sensitive accounts such as your Andrew account or your digital banking account.  These passwords have to differ from the password you use for prompt messaging, webmail and also other web-based accounts.

Do not use automatic logon functionality

Using automatic logon usability negates a lot of the worth of making use of a password.  If a malicious user is able to get physical accessibility to a mechanism that has automatic logon configured, he or she will certainly be able to take control of the device and also accessibility perhaps sensitive information.

See more: Which Of The Following Students Is Using Organization As A Memory Strategy?

The following are Guidelines for individuals responsible for provisioning and also support of user accounts:

Enpressure solid passwords

Many kind of devices and applications encompass use that stays clear of a user from establishing a password that does not satisfy specific criteria.  Functionality such as this must be leveraged to encertain just Strong Passwords are being collection.

Require a change of initial or “first-time” passwords

Forcing a user to change their initial password helps ensure that just that user knows his or her password.  Depfinishing on what procedure is being provided to create and distribute the password to the user, this practice can likewise assist reduce the risk of the initial password being guessed or intercepted in the time of transmission to the user.  This guidance also applies to situations wright here a password must be manually reset.

Force expiration of initial or “first-time” passwords

In specific cases, a user might be issued a brand-new account and also not access that account for a duration of time.  As pointed out formerly, initial passwords have a higher danger of being guessed or intercepted relying on what process is being provided to produce and also distribute passwords.  Forcing an initial password to expire after a period of time (e.g. 72 hours) helps minimize this hazard.  This may likewise be a authorize that the account is not necessary.

Always verify a user’s identification prior to resetting a password

A user’s identification should constantly be validated before resetting a password.  If the request is in-person, photo identification is a sufficient suggests of doing this.  If the request is by phone, validating an identity is much even more challenging.  One approach of doing this is to repursuit a video conference with the user (e.g. Skype) to match the individual through their photo id.  However, this deserve to be a cumbersome procedure.  Another option is to have the person’s manager contact and confirm the request.  For evident reasons, this would certainly not occupational for student researches.  If obtainable, a self-service password recollection solution that prompts a user via a collection of customized inquiries is an reliable technique to addressing password resets.

Never ask for a user’s password

As proclaimed over, individual user account passwords must not be shared or any reason.  A herbal correlation to this guidance is to never ask others for their passwords.  Once aobtain, delegation of permission is one alternative to asking a user for their password.  Some applications incorporate use that permits an administrator to impersonate an additional user, without entering that user’s password, while still tying actions back to the administrator’s user account.  This is also an acceptable different.  In computer system repair situations, requesting that a user create a temporarily account on their system is one different.

The complying with are numerous extra Guidelines for individuals responsible for the architecture and implementation of units and also applications:

Change default account passwords

Default accounts are often the source of unauthorized accessibility by a malicious user.  When possible, they should be disabled completely.  If the account cannot be disabled, the default passwords have to be changed instantly upon installation and also configuration of the device or application.

Implement strict controls for system-level and shared company account passwords

Shared service accounts commonly administer an elevated level of accessibility to a device.  System-level accounts, such as root and also Administrator, administer finish control over a system.  This provides these kinds of accounts highly prone to malicious activity.  As an outcome, an extra lengthy and facility password need to be imposed.  System-level and shared organization accounts are generally important to the operation of a system or application.  Thus, these passwords are often recognized by more than one administrator.  Passwords need to be adjusted anytime someone via expertise of the password transforms job responsibilities or terminates employment.  Use of accounts such as root and Administrator need to additionally be limited as a lot as feasible.  Alternatives should be explored such as utilizing sucarry out in location of root and developing distinctive accounts for Windows administration rather of utilizing default accounts.

Do not usage the exact same password for multiple administrator accounts

Using the exact same password for multiple accounts can simplify administration of devices and applications.  However, this exercise can also have actually a chain effect permitting an attacker to break right into multiple systems as an outcome of compromising a solitary account password.

See more: When Is A Door Not A Door In Sign Language (Asl), Teen Wolf Theories

Implement automated notice of a password readjust or reset

When a password is adjusted or recollection, an email must be instantly sent to the owner of that user account.  This gives a user via a confirmation that the change or reset was successful and additionally advises a user if his or her password to unknowingly adjusted or reset.

Additional Information

If you have actually any kind of inquiries or comments regarded this Guideline, please sfinish email to the University Indevelopment Security Office at iso