Passphrase Security Standard

ECU’s passphrase security standard ensures accounts are protected from unauthorized use.

7.3.1 Passphrases used to provide access to university information resources shall adhere to the following minimum requirements:

a) Passphrases shall be at least 8 characters in length.

b) Passphrases shall contain characters from 3 of the 4 character classes:

  • Numeral
  • Upper case letter
  • Lower case letter
  • Special character (e.g., !, @, #, *, ?)

c) Passphrases shall be changed at a minimum of once every 90 days and shall not use any of the user account’s previous 6 passwords.

7.3.2 New user account passphrases and temporary passphrases shall be controlled to prevent disclosure to unauthorized persons. This shall include:

a) authenticating a person’s identity before providing a new or temporary passphrase

b) providing new or temporary passphrases that are difficult to guess by others

c) delivering new and temporary passphrases securely, and in a separate communication from new account notifications

d) requiring temporary passphrases to be changed upon login

7.3.3 Default product and vendor account passphrases shall be secured to prevent unauthorized access. Where technically feasible this shall include:

a) changing the default vendor passphrase immediately after account activation

b) disabling the account when it is no longer needed or between maintenance sessions