The minimum baseline password standard for computer systems at Washington University in St. Louis requires that:
- Passwords be at least five characters in length and sufficiently complex
- Passwords change at least every 90 days
- Security software disables and revokes passwords following no more than eight unsuccessful logon attempts
- Security software disallows the reuse of passwords for five generations or more
Where software permits:
Approved by the Washington University Board of Trustees Audit Committee December 3, 2004; revised July 11, 2006 per PWC.
- Require that files containing passwords are one-way encrypted.
- Require passwords to be entered in nondisplay fields.
- Set the initial passwords (issued by the system administrator) to be valid for one logon only, and require a forced password change following the initial logon.