UMKC Information Services →  Password Best Practices

	Introduction

The UMKC Information Services Password Policy is the foundation of security for UMKC’s SSO (Single Sign On) account.  The SSO account gives the user access to all the resources available on the UMKCnet.  The privileges and permissions granted by this account are unique to each user.  The protection of this account is the responsibility of the user.  The most important password policy is – Do not give your password to anyone.

Other phases of the Password Policy are covered in the following sections of this document.

	Complexity

Password complexity will be controlled at the Domain Policy level through the use of Group Policy Objects.  Complex passwords provide a basic and important component of overall information security.  The “strong” password will include the following guidelines:

• Avoid using words from a dictionary, common or clever misspellings of words, and foreign words.

• Avoid using incrementing passwords with a digit.

• Avoid preceding or appending passwords with a number.

• Avoid using passwords that others can easily guess by looking at your desk (such as names of pets, sports teams, and family members).

• Avoid using words from popular culture.

• Avoid thinking of passwords as words per se — think secret codes.

• Enforce using passwords that require you to type with both hands on the keyboard.

• Enforce using uppercase and lowercase letters, numbers, and symbols in all passwords.

• Enforce using space characters and characters that can be produced only by pressing the Alt key.

	Password History

The practice of enforcing password history ensures that passwords are not reused in a short period of time or that a short, cyclic list of passwords is not used.  Reusing passwords allows the user, in essence, to never change their password.  Thus, this practice helps maintain the effectiveness of password security of the SSO account.