Passphrase Complexity Guidelines

UC Berkeley security policy mandates that all devices connected to the UCB network comply with the Minimum Security Standard for Networked Devices.  The recommendations below are provided as optional guidance to assist with achieving the Passphrase Complexity requirement.

Requirement

When passphrases are used, they must meet the following complexity specifications:

Passphrases MUST:

  • Contain nine characters or more
  • Contain characters from two of the following three character classes:
    1. Alphabetic (e.g., a-z, A-Z)
    2. Numeric (i.e. 0-9)
    3. Punctuation and other characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

Multi-user systems must be configured to enforce these standards and require that users change any pre-assigned passphrases immediately upon initial access to the account.

All default passphrases for access to network-accessible accounts must be changed at time of network connection.

Background and description of risk

For many systems, passwords are the sole form of authentication. Poor password complexity, including insufficient length or the inclusion of commonly-used words, may allow an attacker to guess the password and gain unauthorized access to the system. Generally, the more complex the password, the more difficult it is for an attacker to guess.

In addition, failing to change passwords from the default setting established by the vendor is equivalent to having no password at all, as default passwords are commonly known by attackers.

Recommendations

Use built-in facilities of operating systems, databases, and other software to enforce complexity.

Use built-in facilities of operating systems, databases, and other software to require password changes on first logon.

Where possible and appropriate:

  1. devices should be configured with separate accounts for privileged and unprivileged access;
  2. users should authenticate with an unprivileged account rather than a privileged account;
  3. privileged access should occur through a privilege escalation mechanism which allows the log to show which user was granted additional privileges;
  4. and privileged access should only be granted for as long as necessary to complete the task which requires additional privileges.

Passphrases SHOULD NOT be:

  • A derivative of the username
  • A word found in a dictionary (English or foreign)
  • A dictionary-word spelled backwards
  • A dictionary-word (forward or backwards) preceded and/or followed by any other single character (e.g., secret1, 1secret, secret?, secret!)

When might it be inappropriate to configure my device to enforce the minimum password complexity requirements?

It may be inappropriate in situations where the device is single-user (home machines or laptops). While you MUST use a password that meets the complexity requirements, it is not necessary to configure the device to enforce the requirements on these single-user devices.

Aside from the password requirements in the Minimum Standards document, what are some other guidelines I shouldfollow?

  • Do not use an easily guessed password. Some examples of passwords that would be easy to guess:
    • Names of family, pets, friends, co-workers, etc.
    • Computer terms and names, commands, sites, companies, hardware, software.
    • Birthdays and other personal information such as addresses and phone numbers.
    • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Passwords should never be written down or stored on-line.
  • In general, a password should be as long as possible while still being easy-to-remember. One way to do this is create a password based on an easy-to-remember phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use either of these examples as passwords!
  • You should change your passwords on a regular basis, at least every six months. You should also change your password any time you suspect that your account has been compromised or tampered with.
  • Try to use a different password for every system. At a minimum, do NOT use the same password for any of your University accounts that you use for a non-University service or third-party web site.

What do I do if my system will not support the use of a password that meets the Minimum Standards?

In this case, you should use the strongest password that you can use within the restrictions of that particular system.