Password Complexity

Requirements necessary to satisfy Password Complexity Rules

Complexity requirements are enforced when passwords are changed or created. Passwords must meet the following minimum requirements when they are changed or created:

  • Passwords must contain at least 8 characters.
  • Passwords must contain characters from three of the following five categories:
    • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    • 0 through 9 (Base 10 digits)
    • Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”’<>,.?/
    • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
  • Passwords must not contain three or more continuous (in direct sequence) characters of the user’s entire email/network username or entire Full Name. Both checks are not case sensitive:
    • The email/network username is checked in its entirety only to determine whether it is part of the password. If the email/network username is less than three characters long, this check is skipped.
    • The Full Name is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the Full Name is split and all parsed sections are confirmed not to be included in the password. Sections that are less than three characters in length are ignored, and sub-strings of the sections are not checked. For example, the name “Erin M. Hagens” is split into three sections: “Erin,” “M,” and “Hagens.” Because the second sections is only one character long, it is ignored. Therefore, this user could not have a password that included either “erin” or “hagens” as a sub-string anywhere in the password.