Information Technology Services

Because your password is so important, several rules are in place to ensure it is not easily guessed, and that, if someone tries too many times to break into your computer accounts, it is disabled to prevent unauthorized access to your information and privileges.  This article describes the rules that are used to govern complexity, duration, and protection of your password.

 Passwords must:

• be a minimum of seven (7) characters in length
• be a maximum length of (128) characters
• contain at least one (1) character from three (3) of the following categories:
• Uppercase letter (A-Z)
• Lowercase letter (a-z)
• Digit (0-9) or Special character ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , . /

This setting determines the amount of time (in days) that a password can be used before the system requires the user to change it. The value has been set at 90 days for faculty and staff and 180 days for students.

This setting determines the amount of time that must pass before users can change their passwords. Defining a minimum password age prevents users from circumventing the password history policy by defining multiple passwords in rapid succession until they can use their old passwords again. The value for this setting is five minutes, which discourages rapid password recycling but permits users to eventually change their passwords.

This setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. It also rejects new passwords that are too similar to old passwords. This setting feature prevents users from circumventing password expiration restrictions by recycling old passwords or ones like them. The value is set to five.

This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. For Web/LDAP and faculty/staff Windows accounts, this value is set to six. Student Windows accounts do not lock out.

This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. For Web/LDAP authentication, the account remains locked until unlocked by an administrator. For faculty/staff Window accounts, the lockout duration is set to thirty minutes or until an administrator enables the user ID.  Student accounts do not automatically lock out.

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. For faculty/staff Windows accounts, this is set to 30 minutes.  Web/LDAP and student Windows accounts do not enforce this.

NAU provides a password change web application.  This application verifies that the newly selected password meets all the requirements outlined above.  A measure of the relative strength of the password is shown as a new password is entered, so users can get immediate feedback on how unlikely it will be that their new password can be "cracked."  Once it is successfully entered, the new password can be used to unlock both Web-based and Windows accounts.

These policies are in place to help to protect your password to the extent that you do. Remember that it is against the NAU Acceptable Use policy to share your password. If you follow the above guidelines and you protect your password, you will be taking a big step toward protecting the University’s and your own information.