Compliance & Policies

Danforth Campus Password Guideline

This guideline sets standards for password management for Danforth School-based servers and systems.

When reasonable and possible, school-based servers and applications (systems) should utilize WUSTLConnect. In those cases, passwords will follow the WUSTLKey password guideline.

When WUSTLConnect is not used, each user should be assigned a unique username and, initially, a generic password. Upon logging into the system for the first time, a prompt for users to change their password is recommended though not required. Passwords should meet the following criteria:

  • Passwords should be a minimum of 8 and a maximum of 32 characters in length.
  • Passwords should incorporate three of the following characteristics:
    • Any lower case letters (a-z)
    • Any upper case letters (A-Z)
    • Any numbers (0-9)
    • Any punctuation or non-alphanumeric characters found on a standard ASCII keyboard (!@#$%^&*()_+=={}[]:;”’|\/?<>,.~`)
  • Passwords should not be easily guessed nor words found in a dictionary.
  • Users should not allow others to use their unique username or password without departmental review or authorization.
  • Passwords should not to be shared or written down where the passwords can easily be found.
  • Passwords should not be stored or remembered by applications - especially when using public machines like kiosks, common workstations, or loaned computers.
  • Individual user passwords should be changed (i.e. expire) at least every 365 days. Users should not be allowed to re-use any of their five previous passwords. Accounts with access to securable university data might require more frequent password changes.

Enabling a timed password lockout after several unsuccessful attempts to access an account is highly recommended – especially on systems with securable university data.

If a server or system does not support the minimum structure and complexity as listed above, one of the following procedures should be implemented:

  • The password assigned should be adequately complex to ensure that it is not easily guessed and the complexity of the chosen alternative should be defined, documented, and communicated to the Internal Auditing Department.
  • The legacy system should be upgraded to support these requirements as soon as administratively possible.
  • All securable university data should be removed and relocated to a system that supports the above security password structure.

Updated April 1, 2013.