The minimum baseline password standard for computer systems at Washington University in St. Louis requires that:
- Passwords be at least five characters in length and sufficiently complex
- Passwords change at least every 90 days
- Security software disables and revokes passwords following no more than eight unsuccessful log-on attempts
- Security software disallows the reuse of passwords for five generations or more
Where software permits:
- Require that files containing passwords are one-way encrypted.
- Require passwords to be entered in non-display fields.
- Set the initial passwords (issued by the system administrator) to be valid for one log-on only, and require a forced password change following the initial log-on.
Approved by the Washington University Board of Trustees Audit Committee December 3, 2004
Revised July 11, 2006 per PWC