ITS Computing Accounts
The Importance of Choosing Strong Passwords
Strong passwords are extremely important to prevent unauthorized access to your electronic accounts and devices.
The object when choosing a password is to make it as difficult as possible for a would-be intruder to identify your password, whether by educated guesses or automated attacks.
This leaves a criminal no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. Though intruders have access to machines that can try thousands or millions of possible passwords per second, a very complicated or very long password vastly decreases the chances an intruder will be able to guess yours.
We recommend that for ITS Computing Accounts you choose as a password a 20+ character phrase, which can include spaces and normal English words. Passwords shorter than 20 characters must be very complex (and therefore hard to remember) in order to make up for their shortness.
- For example, a normal sentence can be used as an acceptable password:
My telephone is broken! (23 characters)
- If you choose a password under 20 characters, it will need to look something
Guidelines for ITS Computing Account Passwords
To meet our requirements, your ITS Computing Account password must:
- be at least 8 but no more than 50 characters in length (exceptions below);
- use both upper- and lower-case letters;
- include at least one number and/or punctuation mark (allowed symbols are: ! # $ @ _ + , ? [ ] . - and space);
- not include your UVa computing ID;
- not include your first, middle or last names, if those names are more than 2 characters in length (for example, "Ed" is okay, but "Sue" is not; "Ng" is okay, but "Smith" is not); and
- if your password is under 20 characters,
these additional restrictions apply:
- cannot have more than 4 numbers;
- cannot appear in any English dictionary;
- cannot include the same character 3 times (either upper- or lower-case);
- cannot have a string of 3 or more ascending or descending characters (for example, ABC or zyx are disallowed).
Other Requirements for Passwords at UVa
- Must be between 8 and 50 characters in length but there are exceptions:
- System and application administrators should meet the above requirements to the extent possible within the constraints of their systems and/or applications, and apply compensating controls (e.g. a protected network, two-factor authentication, exceptional length or complexity, etc.) as needed; see specific system and application guidelines for details.
- Mobile devices (iPhones and other smart phones, BlackBerrys, PDAs) must be protected with a password/passcode of at least four (4) characters if able to connect to UVa's encrypted cavalier wireless network and/or the UVa Exchange Service. Configure your device to lock the screen automatically, after a brief period of about 10-15 minutes of inactivity, with password protection.
For your computing safety, these rules may be expanded over time to be more stringent and additional rules may be published within applications requiring an enhanced level of security.
Remember never to use the same password for a UVa account and a non-UVa account (such as Yahoo, Google, Facebook, Amazon, etc.).
Remember never to share your password with anyone.