Password policy

The University and Departmental policy on passwords is that they should be complex. This means that simple words that appear in dictionaries or other common passwords have to be disallowed as these are too easy to crack using fast, modern computers. The down side is that complex passwords can be hard to remember but we have some advice to help you overcome this.

The need for complex passwords was discussed at the Departmental Computing Committee and accepted. From 15th May 2010, all new or changed passwords used on central physics services must meet the minimum complexity described below. Those who already have passwords that meet the complexity rules do not need to change their passwords although they may need to reset their password to the same value in order to test and verify this.

Complexity Rules

Passwords must

  1. Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
  2. Be at least six characters in length
  3. Contain characters from three of the following four categories:
    1. English uppercase characters (A through Z)
    2. English lowercase characters (a through z)
    3. Base 10 digits (0 through 9)
    4. Non-alphabetic characters (for example, !, $, #, %)

So basically, your password needs to contain a mix of upper and lower case letters with some numbers or special characters.

You should also avoid any password that is related to personal details that are easy to discover (e.g. addresses, phone numbers, car registration numbers, information from social networking sites etc). Also please do not use the same password for different accounts as weak security at a single site could put all your accounts at risk.

Choosing an easy to remember but complex password

As simple words aren't enough, we recommend that you choose a phrase that is meaningful to you and use that to construct and remember your password. For example, you might choose the phrase

"My Father is 6 foot 3 in bare feet"

and take the first letter of each word to form the password "MFi6f3ibf"

or

"The password for (4) this computer is too (2) strong for you to (4U2) guess!"

would generate the rather frightening password "Tp4tci2s4U2g!" (thanks to Wikipedia).

Changing your password

All users are asked to check that their passwords are sufficiently complex by attempting to change them to the same value they have now. If you receive an error message then please choose a more complex password.

Using a web browser

Please visit https://www3.physics.ox.ac.uk/apps/it/passwordreset

Windows

People with a centrally managed Windows computer can do this via their desktops by clicking the START button then Settings then Windows Security (or simply START and Windows Security depending on desktop settings).

OS X

Mac OS X users can also reset their password by going to:
System Preferences -> Accounts -> your account -> Change Password
This method will reset the local (keychain) password and remote/departmental (Active Directory) password in one go. If you then log onto a different OS X system afterwards, accept the suggestion to update your keychain password there, typing in your old password into the next password challenge box that appears.

N.B. If you need to change your password you will also need to update it anywhere that it has been stored. For example, passwords appear in the configuration of email clients, Sophos updates from home, VPN clients, printer connections, stored connections to network drives etc. However, please note that most people using a standard centrally managed windows desktop are unlikely to need these additional changes.

Categories: Policy Password