Skip navigation

OIT Policy: Complex Passwords

Security breaches occur most often on accounts that have weak, easy-to-guess passwords. Diligent password management helps create a secure computing environment and ensures that online identities are not at risk.

At UMass Amherst, an OIT Account enables students, faculty, and staff to access email, manage academic, personal, and financial information in SPIRE, and use the campus wired and wireless network.

The Complex Password Policy establishes the strength requirements for OIT Account passwords and is intended to support the secure and productive use of information technology resources. All members of the University community with an active OIT Account are required to comply with the Complex Password Requirements outlined below.

Complex Password Requirements

Your OIT Account password:

  • Must be between 8 and 16 characters
  • Must contain characters from three of the following four categories:
    • uppercase characters (A - Z)
    • lowercase characters (a - z)
    • digits (0 - 9)
    • special characters (limited to the following):
      ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~
  • Cannot contain three or more adjacent characters from your NetID
    (e.g., if your NetID is jdoe then your password cannot be 4xP/doe/876)
  • Cannot contain the reverse of your NetID (e.g., 4xP/eodj/876)
  • Should not be solely composed of English or foreign words or proper names

Password Management

To protect your OIT Account information, it is critical that you:

Construct a strong password.
Password-guessing software has become increasingly sophisticated and many break passwords using ‘dictionary attacks’, trying endless combinations of characters. Follow the Complex Password Requirements listed above to ensure that your password can withstand these types of attacks.

Do not save your password.
Some applications offer to save your passwords. Always say ‘No’ when prompted to save a password online. Also, never write down your password. Instead, create a password reminder in case you forget it. For instructions on how to create a password reminder, see our Account Password Rules page.

Do not share your password.
By making passwords available to others, you put your personal information at risk and make it vulnerable to misuse. Do not send your password via email even if the message asking for your password appears official. Note that the OIT Help Center will never ask for your account information via email.

Change your password periodically.
To protect your password from ‘dictionary attacks’, change your password four times a year (once every three months). If you suspect that your password has been stolen or compromised, change it immediately. Change your OIT Account password in SPIRE

Do not recycle your password.
Do not use your OIT Account password for other services (e.g., your bank account or your non-UMass email address). If your password is hacked, all the accounts using this password are at risk.

Log out of OIT services.
Remember to log out of any OIT service (e.g., UMail, SPIRE, computers in the OIT Computer Classrooms) when you are finished using the service or when you step away from your computer.

Last Updated: Dec. 17, 2012