Password Security Guidelines

Password Security Policy

The Password Security Policy explains what is needed for the process of identifying an authorized user.  It ensures that it is difficult for one user to impersonate another. In particular, this policy focuses on the use of login IDs and passwords to verify the identity of users.

User Password Guidelines

All User Passwords must:

  1. Meet minimum complexity requirements:
    1. have at least 4 alphabetic characters (a, b, c, d, ... z) and 1 non-alphabetic character (0 to 9, and special characters such as !._-%()-?[]#~ are allowed)
    2. a character may be repeated only two times in a password.
  2. Have a minimum of 8 characters.
Examples of unacceptable passwords  
mynassau there are no non-alphabetic character
bahamas242 there are 3 a's in this password
nassau there are too few characters

All User Passwords must not:

  1. Contain any part of the user-ID.
  2. Contain the users' first or last names.
  3. Contain more than two of the same consecutive characters: 999, xxxx
  4. Contain common character sequences like "12345" and "abcd".

Additional Password Management Tips

  1. Passwords should not be based on any personal information.
  2. A password should not be easy to guess or be found in a dictionary, in any language.
  3. It is also advised that initial passwords and temporary passwords issued by administrators (such as when a new account is set up, or a replacement password issued) will be configured to expire on first use.
  4. Passwords are case sensitive, that is, the uppercase Z is not the same as a lowercase z.
Example of a Weak Password   Example of a Strong Password
Security length too short, easy to guess, does not meet complexity requirements Secur1ty
Cricket easy to guess, does not meet complexity requirements Cr1cket2020
tr@FFic length too short tr@FFic2009

The strong passwords are of the proper length, easy to remember but not easy to guess, and they meet complexity requirements.

*** Passwords must be changed every 90 days or less. A different password must be used each time it is changed. No new password should be the same as any of the previous five passwords used.