New password change enhancements were introduced in the fall of 2008. There has been some confusion about the changes. Here, then, is a recap of the complexity rules that were put in place on the password change application page.

Passwords Complexity Requirements

Passwords chosen must:

• be a minimum of seven (7) characters in length
• be a maximum length of (128) characters
• contain at least one (1) character from three (3) of the following categories:
• Uppercase letter (A-Z)
• Lowercase letter (a-z)
• Digit (0-9)
• Special character ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : “ ; ‘ < > ? , . /
• The password does not contain three or more consecutive characters from the user’s account name or display name. If the account name is less than three characters long, then this check is not performed because the rate at which passwords would be rejected would be too high. When a check is performed against the user’s full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound signs, and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present the password change is rejected.

For example, the name Erin M. Hagens would be split into three tokens: Erin, M, and Hagens. Because the second token is only one character long it would be ignored. Therefore this user could not have a password that included either “erin” or “hagens” as a substring anywhere in the password.

All of these checks are case insensitive.

Password Expiration

This setting determines the amount of time (in days) that a password can be used before the system requires the user to change it. The value has been set at 42 days for faculty and staff, but it will be changed to 90 days for all faculty, staff and students later this spring.

These changes will only help to protect your password to the extent that you do. Remember that it is against the NAU Acceptable Use policy to share your password. If you follow the above guidelines and you protect your password, you will be taking a big step toward protecting the university’s and your own information.