University of Arizona Standard for Password Construction and Management
1. Overview
Passwords are an important aspect of computer security. They are the front line of protection for
user accounts. A poorly chosen password may result in the compromise of individual systems,
data or even the entire University of Arizona network. All University of Arizona affiliates,
including contractors and vendors, with access to University resources are responsible for taking
the appropriate steps, as outlined below, to construct, secure and maintain their passwords.
2. Purpose
The purpose of this document is to establish standards for password construction, protection and
expiration.
3. Scope
This standard applies to all University of Arizona affiliates with access to any resource that
supports or requires a password. Specifically this standard applies to all resources residing at any
University of Arizona facility; having access to the University of Arizona network; or storage of
any non-public University of Arizona information. This is a minimum standard, and departments
are encouraged to maintain stricter limits where practical.
4. Standards
All university-affiliated passwords should meet the standards described below.
4.1 Construction
One of the first things an attacker may do is run a program that attempts to guess the password of
the target. These programs contain entire dictionaries of several languages. In addition to
containing dictionary word lists, they frequently create words and contain word lists from popular
culture, such as, slang terms, movies, novels, etc.
With this in mind, users should construct a password that meets the following criteria:

Passwords should ALWAYS contain:





At least eight characters
Both upper and lower case characters (e.g., a-z, A-Z)
At least one number (e.g., 0-9)
At least one special character (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Passwords should NOT


Be based on personal information, such as, names of family, dates, addresses, phone
numbers, etc
Be based on work information, such as room numbers, building name, co-worker's name,
phone number, etc
Revision 2/5/2016
Page 1 of 5
University of Arizona Standard for Password Construction and Management



Use word or number patterns like, aaabbb, qwerty, zyxwvuts, 123321, abcABC123, etc.
Be a word or combination of words found in any dictionary in any language, slang, dialect,
jargon, etc.
Be based on your username, your real name, handle, nickname, screen name, etc.
The following section describes how to create a password which includes all or most aspects of
the criteria above making it hard to guess yet easy to remember.
One way to meet the suggested criteria is to mix special characters, upper and lowercase letters,
and numbers, and associate them with a phrase or song titles. The following tables demonstrate
these rules in a Good, Better, Best practice.
Example I:
Phrase: Home of the University of Arizona Wildcats
Good
Better
Best
hOTuoAw-C
H0tUoaW-c
8O7u0@w-[
Lower Case h,
Upper Case H,
Upper Case O,
Upper Case T,
Number zero (represents the
letter o),
Lower case t,
th
Number 8 (h is the 8 letter in
the english alphabet),
Upper Case O,
Lower Case u,
Lower Case o,
Upper case U,
Lower case o,
Upper Case A,
Lower case a,
Lower Case w,
A hyphen between
Wildcats,
Upper Case C
Upper case W,
A hyphen between Wildcats,
Lower case c
Number 7 (sort of looks like a
T),
Lower Case u,
Number zero (represents the
letter o),
At sign (at sign begins with the
letter a),
Lower Case w
A hyphen between Wildcats,
The left square brace, since it
looks like an upper case C
Example II:
Phrase: Why did the chicken cross the road?
Good
Better
Best
WdTcCtR?
YdTCxtR?
Y?47CxtR
Upper Case W
Lower Case d
Upper Case Y (Why equals Y),
Lower Case d,
Upper Case T
Upper Case T,
Upper Case Y,
Question mark (Y is the
question, right?),
Numeral 4 (the letter d is the
th
4 letter in the english
alphabet),
Revision 2/5/2016
Page 2 of 5
University of Arizona Standard for Password Construction and Management
Lower Case c
Upper Case C,
Upper Case C
Lower Case x (the letter x is a
cross),
Lower Case t,
Upper Case R,
Question mark
Lower Case t
Upper Case R
Question mark
Numeral 7 (still looks like a
T),
Upper Case C,
Lower Case x,
Lower Case t,
Upper Case R
You can make strong passwords by simply substituting numbers for letters or words (or vice
versa). Such as: E equals 3, I equals 1, O equals 0 (zero), for equals 4, two equals 2, B equals 8,
see or sea equals C, etc. Additionally, you should add a special character in the middle. The best
passwords are created using an easy to remember phrase as outlined in the above table. More
examples of strong passwords follow:




My four children are wonderful when they're sleeping m4caW,wts
My anniversary is April 4 remember that date Maia4,rtd
Ali Baba had forty thieves @Bh?4tyt
Wildthing Wild*7H1ng
OR



Use r3d-j3llo instead of redjello (substitute the E's with 3's)
Use B,cl1nt0n instead of bclinton (substitute I & L with 1's and O with zero)
Use j0hn(80y) instead of johnboy (substitute the O's with zeros & the B with 8
NOTE: The above referenced examples should not be used as passwords.
4.2 Protection
Passwords are an important tool available to users to protect their resources. Unfortunately, people
are not accustomed to memorizing difficult passwords that include numbers and weird characters.
This is made more difficult due to the ever-increasing number of passwords required in today's
world. Many people have chosen to write down their passwords and keep them in an unsecured
area, such as under their keyboard or stuck to their computer screen. All users should use the
following security measures to protect their passwords and associated accounts:






Passwords should be memorized and never written down or stored on-line. If you must
write down a password it must be stored in a secure location allowing only authorized
access.
Passwords assigned to individuals should never be shared with anyone, even your
supervisor. All passwords must be treated as sensitive/confidential information.
Anyone requesting an individual’s password should be referred to the Information Security
Office and this standard.
Passwords should not be included in email messages or other forms of electronic
communication such as instant messengers, chat rooms, and wireless text messaging, etc..
User accounts that have system-level privileges granted through group memberships or
programs such as "sudo" in unix should have a different password than all other accounts
held by that user.
Always create a new password when joining internet sites, such as eBay, Yahoo, Hotmail,
Revision 2/5/2016
Page 3 of 5
University of Arizona Standard for Password Construction and Management


Amazon, etc.
Don’t talk about a password in front of others or reveal a password over the phone.
All default passwords must be changed as soon as possible.
4.3 Maintenance
It is important to remember that given enough time any password can be guessed. Therefore, it is
critical that passwords be changed frequently. If you use a password that can be guessed in (N)
number of days, you would need to change that password in (N-1) days. For example if you used
wildthing as your password it could be guessed in less than one hour. Whereas the previously
outlined password example of Wild*7H1ng might take six months. Meaning the stronger the
password the less frequently it has to be changed.
The recommended password change interval is every 120 days even if you construct a password
following the recommendations in this standard.
4.4 General
If you suspect that an account or password has been compromised, change the password or disable
the account immediately, then contact your system administrator or refer to the Incident Response
policy.
Additional recommended password security measures:





Do not use the same password for University of Arizona accounts as for other nonUniversity of Arizona access (e.g., personal Internet account, option trading, benefits, etc.).
Where possible, don't use the same password for various University of Arizona access
needs. For example, select one password for your NetID account and a separate password
for your departmental account. Ideally, you should have different passwords for different
systems, such as Windows, Unix, or Macintosh, etc.
It is not recommended to use the "Remember Password" feature in applications such as
Eudora, Outlook, and Netscape Messenger, which may leave your accounts vulnerable.
Never provide any current password or variation of it to an internet site that requests your
email address and then requests a password.
In an emergency, revealing a password to a trusted individual is permitted, however, that
password should be changed immediately after the emergency has passed.
5. Enforcement
Password cracking or guessing may be performed on a periodic or random basis by ISO or its
delegates. If a password, not meeting these standards is guessed or cracked during one of these
scans, the user will be required to change it.
If a password is revealed to have been compromised the user will be required to change it.
Any employee found to have violated this standard may be subject to disciplinary action, up to and
including termination of employment.
Revision 2/5/2016
Page 4 of 5
University of Arizona Standard for Password Construction and Management
6. Related Documents
Security Definitions used in this policy are available at http://security.arizona.edu/Definitions.pdf
Security Standards are available at http://security.arizona.edu/policydrafts.html
Guidelines, Policies and Procedures are available at
http://security.arizona.edu/guidelinesetc.html
Revision 2/5/2016
Page 5 of 5