Due to a recent state audit finding all UMBC Administrative users (e.g. PS Portal, PS HR, PS Finance, Developers, HP, MyUMBC, MAP, etc.) are required to create to a more secure password by the end of March 2007. OIT has developed a more stringent password construction policy in order to comply with state auditors (see below for password construction rules).
The new password construction rules for all MyUMBC accounts are now in effect. These password rules are enforced for changes made through the MyUMBC web interface, and through Kerberos' password change protocol.
**Why are we changing passwords?
This is in response to the state audit finding that UMBC's password authentication practices did not meet the requirements of the State of MD IT Security Policy. In order to provide greater security a more complex password is required. We are basing our password standards on the NIST Special Publication 800-63, Electronic Authentication Guideline
**How do I Change my Password?
Please visit http://my.umbc.edu and Login
Go to the “Personal” Tab > “Account Info” > “Change My Password"
**What Systems Will be Affected by this Password Change?
- myUMBC Account
- PeopleSoft Accounts
- E-mail Account (Including Webmail)
- Oracle Calendar Accounts
- VPN Account
- Microsoft Active Directory Accounts
- Blackboard Accounts
NOTE: MS Active Directory users will need to logout of their workstation and then log back in, while connected to the campus network, for this change to take effect. Microsoft AD accounts will then be synchronized with your myUMBC account password.
**Will Non-Administrative Users Be Affected?
Yes. The new password construction rules are enforced for all UMBC account holders. If a person changes their password they will be required to create a password using the same rules and requirements that are listed below. The only difference is that Non-Administrative users will have until the latter part of this year to change their password.
**Password Construction Rules
* Must be at least 8 characters in length
* May only contain printable characters (alphanumeric and symbols -- no spaces or "control" characters)
* Must include at least one upper case, lower case, and one non-alphabetic character
* Must not contain three or more recurring characters. (such as 'sss')
* Must not contain three or more characters in the order that they appear on standard keyboards.
* Passwords must not be primarily constructed of words appearing in our password dictionary.
* Passwords must not contain personally identifiable information that is known to UMBC. This includes such elements as the individual's username, CampusID, Social Security Number, Date of Birth, or elements of other directory information such as address, office number, etc.
* Passwords must be different than the last three passwords used, or have been used within the past year.
This construction rules are derived from NIST Special Publication 800-63, Electronic Authentication Guideline