Site-specific menu

• Information Technology
• About
• For Students
• For Faculty and Staff
• News
• Rules and Policies
  • Academic Applications
  • Copyright and Ethics
  • Data Security
  • Email
  • Identity Protection
  • Miscellaneous
  • Network and Internet
  • Web
• Directory
• Contact Us

Spotlights

Password Guidelines

Your password prevents other people from reading your email, accessing your network files, changing your web pages, or sending messages from your account. These guidelines will assist you in creating a more secure password that is less susceptible to being broken.

Western Michigan University passwords

• Must be a minimum of eight (8), maximum of 24 characters.
• Will expire 365 days after each change.
• May only be changed once per day.
• Are case-sensitive (e.g. TmB1w2R! is different than tmb1w2r!).
• May not contain any part of your name or username.
• May not use single words found in the dictionary.
• May not contain spaces.
• Must contain three (3) or more of the following:
  • At least one upper-case alphabetic character.
  • At least one lower-case alphabetic character.
  • At least one numeric digit (e.g. 1, 2, 3…)
  • At least one punctuation or symbol character (e.g. ^, $, #)
    
• Do not use ‘ “ or blank spaces as they may not work with all University systems.

Examples of good passwords

• Lw&M4+3 uses upper and lower case, symbols, numbers, and both left and right
  sides of the keyboard
• J7$pZ3Kqs(W is a good mixture and is long (Macintosh users please note that Macintosh equipment passwords cannot be longer than 8 characters)

Selecting a password you can remember

Long, cryptic passwords are the most secure but can be difficult to remember. One method of selecting a good password is to start with a short sentence, for example, a holiday greeting: Merry Christmas and Happy New Year
By using the first letter of each word it becomes MCaHnY. It has a mixture of upper and lower case letters and some characters are typed with the left hand and some with the right. It is only six characters long so it needs to have at least two more characters, either numeric digits or punctuation. Here are three possibilities:

• 1MCaHNY!
• Mcahny!!
• MCaHnY2y

Passwords should not be

• Names of family, pets, friends, co-workers, fantasy characters, etc.
• A word in any language, slang, dialect, jargon, etc.
• Computer terms and names, commands, sites, companies, hardware, software, etc.
• Personal information such as birthdays, addresses, phone numbers, etc.
• Words or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
• Any of the above spelled backwards.
• Any of the above preceded or followed by a digit (e.g. secret1, 1secret).

Password don’ts

• Don't reveal passwords over the phone to anyone.
• Don't reveal passwords in an email message.
• Don't talk about passwords in front of others.
• Don't reveal passwords on questionnaires or security forms.
• Don't share passwords with anyone, including family members.
• Don't reveal passwords to co-workers while on vacation or leave.
• Don’t use the "Remember Password" feature of applications.
• Don’t write passwords down and store them anywhere in your office.
• Don’t store passwords in a file on any computer system including smart phones, PDAs, or similar devices, unless that file is encrypted.
• Don’t use the same password for WMU accounts as for other non-WMU access.
• If someone asks for your password, refer them to this document or have them call someone in the Office of Information Technology or your college/department Network administrator.
  

Summary

Usernames and passwords assigned to individuals to access information are critical in the protection of both your privacy and the University’s IT resources. Usernames and passwords are for the use of the individual for whom they were granted, and should be known only to that individual.

These guidelines have been enacted to better secure the information assets of WMU. It is an increased burden but it also will make an exponential difference in password security on campus. Even if you do not access or maintain confidential data, your system access can be used by a hacker to gain access to confidential data. Everyone plays a vital role in the University’s information security and we must all do our part.

Note

These guidelines may be amended at any time by the Chief Technology Officer of Western Michigan University consistent with current collective bargaining agreements, university policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on OIT’s public website.

Document Action	Group	Date
Direction/purpose	Dr. James Gilchrist, per external audit group	10/2010
Reviewed	Campus Information Security Committee	11/2010
Reviewed and edited	Campus Information Security Committee	12/2010
Reviewed	LAN Managers Group	01/2011
Reviewed and edited	Campus Information Security Committee	01/2011
Approved	Campus Information Security Committee	03/2011