UCSC Password Strength and Security Standards

These Standards are required for passwords that provide access to University restricted data, or where otherwise required by law, UC or campus policy, or contract. They are recommended as good practices to follow for all passwords even where not required.


I. Introduction

Passwords are an important part of computer security at UCSC. They often serve as the first line of defense in preventing unauthorized access to campus computers and data. Because of this, it is important to choose passwords that are complex and cryptic enough to prevent others from guessing them or from cracking them with “password cracker” programs. It is also important to keep passwords secret and secure so others can’t use them or find them.

These Standards are intended to provide information and guidance about how to create good, cryptic passwords and how to keep them secure and confidential. Some of the steps may require additional configuration/setting changes.

BEYOND PASSWORDS - Multi-Factor Authentication (MFA): Increasingly, passwords are the weak link in protecting information and accounts. In addition to following these Standards, adding another layer of protection to your accounts with 2-step/Multi-Factor authentication where available provides extra protection. Then someone will need more than just your username and password to get in. This is an emerging requirement for accounts that provide access to restricted data and for privileged accounts, and is required to access Campus and Data Center VPN. More information



II. Password Strength Standards How to create good, cryptic, hard-to-guess-or-crack passwords

REQUIREMENTS
The following requirements are enforced on many UCSC systems. Passwords that do not meet these requirements or are otherwise found vulnerable by automatic password strength checkers may be rejected.

  1. Passwords must be at least 8 characters in length, cannot be based on dictionary words/common names, and must contain at least 3 of the following 4 types of characters:
    • lower case letters (i.e. a-z)
    • upper case letters (i.e. A-Z)
    • numbers (i.e. 0-9)
    • special characters  (e.g. -=[]\;,./~!@#$%^&*()_+{}|:<>?)
  2. Passwords for systems or applications that cannot support the above standard must be longer -- at least 10 characters in length, if possible -- and incorporate the maximum complexity the system or application can support.
  3. In addition, passwords must:
    • Not be a single word found in the dictionary (in any language), whether spelled forwards or backwards, or a single word preceded or followed by a digit (e.g., secret1, 1secret)
      • Note: It is OK to use real words in passwords as long as you use more than one and still include the different required character types. Modified dictionary words are even better. See "Additional Tips and Hints" below for details.
    • Not include user name or login name
    • Not be a common keyboard sequence, such as "qwerty89" or "abc123"
    • Not be from examples you have seen in print, such as the ones on this page.

ADDITIONAL TIPS AND HINTS
for creating good, cryptic, hard-to-guess passwords

  • Longer passwords are better.
  • Avoid including personal information, names of family, places, pets, birthdays, address, hobbies, license plate number, etc.
  • Avoid words that are slang, dialect, jargon, etc.
  • A password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one.
    • Basing your password on a phrase that is familiar to you is one way to generate a password that is memorable to you, but obscure to others. For example, "The hills are alive with the sound of music!!" is actually a pretty good password, except for the fact that that it is inconveniently long and published here. A shorter version could be, “Hills! alive! Music!” or, using a variant on the first letter of each word, "ThRawts0m!". 
    • A few memorable, unrelated words can also be a good password, such as "correct horse battery staple" or, if the system requires additional complexity, “Correct horse battery staple!”
    • Automatic "password cracker" programs now also check for complete dictionary words in a row, separated by spaces or not, so it's still always best to modify dictionary words. "The hills are alyve w/the sound of musyc!" is much more secure than "The hills are alive with the sound of music!" It's also harder to remember, so it's a trade-off.
  • Be aware that automatic "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements. Passwords that are found vulnerable by automatic password strength checkers may be rejected.
  • Passwords shouldn't be too common (Password1 is very common. 2bor!2b is pretty common and is also only 7 characters in length).

III. Password Security Standards - How to keep your passwords secret and secure:

1. Do not share your passwords with anyone else, or in any way publish them.

2. Avoid writing passwords down.

  • Whenever possible, change passwords to something you can easily remember.
    • One way to do this is to create a password from a familiar phrase (see Additional Tips and Hints, above, for more information).
    • Once you have a good, strong, memorable password, you can come up with a system to modify it slightly for each system or application. Then you only have to remember your base password and your system.
  • If you have to write a password down, try to write it in a way that others won't be able to decypher -- such as using a hint for part of it -- and store it securely in a safe, unlikely-to-be-discovered location, e.g., not under the keyboard or on your monitor.
  • Passwords can also be securely stored using a variety of free and low-cost "password vault-type" encryption tools. See #5 in this section for details.

3. If you think your password may have been compromised, notify the ITS Support Center and your supervisor.

4. Change passwords provided for initial access or password resets as soon as possible. Information for doing this should be provided with the password. If it is not, contact the person or office issuing the password for instructions.

5. Don’t let your applications or browser remember/store passwords that provide access to restricted systems or data.

  • That way if someone gets access to your computer, they don’t also get access to all of your accounts.
  • PASSWORD MANAGERS: Passwords can be securely stored using a variety of free and low-cost encryption tools designed to manage passwords, including your computer's keychain and third party solutions. As an example, LastPass is a cloud-based option. [1]
    • Important notes: 
    • Password Managers can assess the strength of your passwords and generate secure passwords for your use.
    • Master passwords providing access to these tools must meet the minimum strength and security standards stated in these Standards. For keychains, this is the password used to access the computer.
    • Do not store passwords providing access to restricted data on a non-UCSC service provider's website. See Use of Third Party and Cloud Services for details and additional guidance. 
    • Best Password Managers to use in 2021
    • Technical article before you use a password manager.

6. Use different passwords for accounts that provide access to restricted data than for your less-sensitive or personal accounts.

  • For additional security, use a different password for each account that provides access to sensitive data; that way if one of your passwords is compromised, your others are still OK. 

7. Ensure that passwords are transmitted securely.

  • Before you log into something via the web, look for “https” (not http) in the URL to indicate that there is a secure connection. If this is missing, request a secure web page from the service provider that you can use to log in.


IV. Additional Requirements for Service Providers

1. Passwords provided as initial passwords or password resets must meet the UCSC Minimum Password Requirements. "Changeme," "admin," "pass1," and other common passwords found in password crackers may not be used.

  • Passwords provided as initial passwords or password resets also must not be a fixed password or a published/easy-to-figure-out formula that, if discovered, could be used to gain unauthorized access to a system or application.
  • Passwords provided for initial access or password resets must be unique.

2. Ensure that end users are aware of the above password strength standards when it is not possible for applications and systems to enforce them technically.

3. Ensure secure transmission and storage of passwords.

4. Passwords provided for initial access or password resets should be set to expire upon initial use. If this is not possible, instruct users to change these passwords as soon as possible after initial use and provide instructions for doing so.

5. Give users advance notice about password length and complexity requirements so they can come up with well-thought-out, memorable passwords instead of spur-of-the-moment ones. 

6. Passwords used for privileged access must not be the same as those used for non-privileged access.

7. Administrator-level access to restricted data, computers or networks must be able to identify the individual performing the access, e.g. via a unique user ID/password and elevated permissions as opposed to utilizing a shared admin or root account.

8. Report potential password security compromises to the ITS Support Center.

9. NOTE: Service Providers should consider using UCSC's Identity Management (IdM) Services, such as Shibboleth, for authentication to their applications. Please see the IdM Service page in the ITS Service Catalog for more information.



V. System Requirements and Standards

1. Where possible and applicable, applications and systems must be configured to enforce these Password Standards. 

2. New systems and applications must be able to support the above password strength standards.

3. Systems must be configured to ensure secure transmission and storage of passwords.

4. Passwords provided for initial access and password resets must be set to expire upon initial use, where feasible.

  • Additionally, initial passwords must be set to expire after no more than 120 days and password resets must be set to expire after 72 hours when possible to prevent unauthorized account access. Note: This requirement is not intended to imply that passwords must expire periodically. It is, instead, intended to prevent the misuse of initial and temporary passwords. 

5. All default passwords for network-accessible devices must be modified.

6. Where possible, systems must be configured to prevent resubmission of previously used passwords.



VI. Getting Help

- Use the CruzID Manager to change your CruzID Blue or Gold password.

- Contact the ITS Support Center with questions or feedback about these Standards, or to report a compromised password: itrequest.ucsc.eduhelp@ucsc.edu, 459-HELP (4357).


-------------------------------- 
[1] Links on this page to commercial web sites do not represent endorsement by the University of California or its affiliates.