New Password Construction Policies
The new password construction rules for MyUMBC accounts are now in effect, in preparation for the upcoming forced password change for administrative users. As you may, or may not know, this is in response to the state audit finding that UMBC's password authentication practices did not meet the requirements of the State of MD IT Security Policy. These password rules are enforced for changes made through the MyUMBC web interface, and through Kerberos' password change protocol.
Note: We are not yet synching MyUMBC account password changes to active directory -- that will be forthcoming.
New password rules.
Must be at least 8 characters in length
May only contain printable characters (alphanumeric and symbols -- no spaces or "control" characters)
Must include at least one upper case, lower case, and one non-alphabetic character
Must not contain a sequence of three or more recurring characters. (such as 'sss')
Must not contain a sequence of three or more characters in the order that they appear on standard keyboard layouts.
Passwords must not be primarily constructed of dictionary words.
Passwords must not contain personally identifiable information that is known to UMBC. This includes such elements as the individual's username, CampusID, Social Security Number, Date of Birth, or elements of other directory information such as address, office number, etc.
Passwords must not match the individual's password history, which comprises of the passwords used for this account over the past year, or, the last three passwords used for this account.