Password Best Practices and Standards

Protect Your Password

Your username and password are your key to accessing a wide range of resources. For faculty and staff, these resources include sensitive information such as pay statements, benefits open enrollment, and retirement account details. In addition, your account has access to other data that is regulated by the Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley (GLB) Act. You should never share your password with anyone, for any reason. By protecting your password, you also protect the important resources and data to which your password grants you access.

Keep in mind these important password tips: 

• Create a strong password that combines a minimum of 12 letters, numbers, and special characters – in general, the longer the better!
• Be sure to log out when you have finished using any website or resources that requires you to log in with your password. It is also recommended that you close all browser windows and completely exit your web browser.
• Change your password regularly. Currently, students, faculty, and staff are required to change their account password at least every 180 days.
• No one from any reputable organization, including the Northeast, will ever ask you to divulge your password over the phone or in an email. If you are asked for your password in an email or over the phone, this is usually a sure sign of a phishing scam.

Are you trying to change your password and getting one of the following error messages:

"Unfortunately, your password contains a word, phrase, or pattern that makes your password easily guessable. Please try again with a different password."

"We've seen that password too many times before. Choose something harder to guess."

"Choose a password that's harder for people to guess."

Let's talk about what happening so you can create a secure password.

Password Normalization

Normalization of a password converts it to lowercase and replaces special characters with what the most common alternative. 

Consider the following example:

• The password "blank" is banned.
• A user tries to change their password to "Bl@nK".
• Even though "Bl@nk" isn't banned, the normalization process converts this password to "blank".
• This password would be rejected.

Fuzzy Matching

Fuzzy matching looks at a password to ensure that it is not within 1 character of a banned password.  Consider that "abcdef" is banned, so:

• abcdefg - adding a g to the end
• abcdeg - changing last character to g
• abcde - dropping the last character

These would also be banned as they are in the 1 character edit fuzzy match.

Substring Matching 

Substring matching looks for any part of your name or your email domain in the password.  If it is found, it is considered banned. This will result in both nemcc and tigers being rejected.

Scoring

Password are scored as follows, and must score at least 5 points. Banned passwords get 1 point. Special characters that do no get normalized also get 1 point.

So "nemccTiger$24' results in a total of 4 points, short of the 5 point threshold.

• [nemcc] + [tigers] + [2] + [4]

So instead of just "nemccTiger$24", let's try something like "nemcc-Tiger$-24". When this password is normalized it would become "nemcc-tigers-24"

• [nemcc] + [-] + [tigers] + [-] + [2] + [4]

Getting the idea? 

• Use combinations of words separated by a common character (that you know)
• Choose a letter and change it to a special character (always)
• Use a pattern to capitalize letters (camel casing, every 3rd character, or 5th, it doesn't matter)
• Do not use banned words are phrases as they will lower the score of the password.

Are you in the red?

The table below shows the amount of time it takes a hacker to brute force a password based on password length and characters used.