Password guidelines

Guideline

Intent

To provide guidance on choosing passwords

Scope

University wide

Exclusions

Nil

Choosing a valid password – regular users

Most users with an RMIT login account have general access requirements and do not require special administration or operational privileges for the system they are logging into. These regular users include students and the majority of staff and contractors. Such users need to choose a password that meets all of the following conditions:

  • Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Passwords must be at least eight characters in length
  • Passwords must contain characters from three of the following four categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Numeral digits (0 through 9).
    • Non-alphabetic characters: ~!@#$%^*_-+=`|\(){}[]:;"'<>,./ (with the exception of & and/or ? which are not supported by some systems)

Note: Cannot be one of your previous 15 passwords

You should be aware that your login account will be automatically disabled after 15 consecutive failed login attempts within 30 minutes. A failed login attempt can occur if either or both your login name and password are incorrect. Should this happen, your login account will be disabled for 30 minutes. After this time elapses, your login account will be re-enabled and you can attempt login again.

You are required to change your password once the age of your password is 180 days. You will be prompted 14 days prior to the expiration of your password to change it. To avoid your login account becoming disabled, you are advised to change your password as soon as the system prompts you to change it. Some RMIT legacy applications do not keep track of the additional logins allowed and your login account may become disabled before you are aware of it.

If you need assistance, please contact the IT Service Desk.

Choosing a valid password – privileged users

Certain users with an RMIT login account have privileged access requirements in order to perform an administration or operational role for the system they are logging in to. These privileged users include database administrators, systems support staff, security administrators and network technicians. Such users need to choose a password that meets all of the following conditions:

  • Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Passwords must be at least eight characters in length
  • Passwords must contain characters from three of the following four categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Numeral digits (0 through 9).
    • Non-alphabetic characters: ~!@#$%^*_-+=`|\(){}[]:;"'<>,./ (with the exception of & and/or ? which are not supported by some systems)

Note: Cannot be one of your previous 15 passwords

You should be aware that your login account will be automatically disabled after 15 consecutive failed login attempts within 60 minutes. Should this happen, your login account will be disabled for 60 minutes. After this time elapses, your login account will be re-enabled and you can attempt login again.

You are required to change your password once the age of your password is 180 days. You will be prompted 14 days prior to the expiration of your password to change it To avoid your login account becoming disabled, you are advised to change your password as soon as the system prompts you to change it. Some RMIT legacy applications do not keep track of the additional logins allowed and your login account may become disabled before you are aware of it.

If you need assistance, please contact the IT Service Desk. Please refer to RMIT website for contact details and hours of operation.

Am I a regular user or a privileged user?

Your security administrator should inform you if your login account has been set up with privileged access. Otherwise you can assume that your login account has been set up with general access and that you are a regular user.

Tips for choosing an easy-to-remember password

For security reasons, an RMIT password must contain a combination of alphabetic letters, numerals and special characters. This precludes the use of names, places and dictionary words which can be easily guessed or determined. Although there is a need for password names to have a degree of complexity, simple techniques exist that allow you to choose easy-to-remember passwords that are difficult for others to guess or determine.

The “passphrase” is one technique. A passphrase serves the same function as a password but is generally longer and may include letters, numbers and special characters. They are easier to remember than normal passwords because they are based on phrases that are meaningful to you. For example, the following passphrases are valid passwords at RMIT:

  • GoSaints2012
  • Ihave3dogs!
  • Sally4me
  • IhateMondays!
  • Tobeornot2be (to be or not to be)
  • L84dinner (late for dinner)
  • 2plus2isFour
  • 8SmithStreet

As shown above, a numeral in a passphrase can be either a proper numeral (eg. “3” in Ihave3dogs!) or a substitute for a word (eg. the “4” in Sally4me is a substitute for the word “for”).

Other suggested techniques for choosing an easy-to-remember password are:

  • Choose two short words that are not related and concatenate them together with a numeral between them. eg. cow3horse!
  • Choose a word and substitute one or more numerals for alphabetic letters eg. Vir2osit for virtuosity
  • A song title, singer or actor eg. h0telcalifornia with the numeral 0 substituting the letter o tomcru1se with the numeral 1 substituting the letter I
  • Tomcru1se with the numeral 1 substituting the letter IBy adopting these techniques, you should be able to select passwords that are both secure and easy to remember.

Do’s and don’ts

  • Do change your password if you suspect another person knows it
  • Do choose a new password that is very different from your old one
  • Do change your password before the system forces you to change it
  • Do use a numeral within your password string, rather than as the first or last character
  • Do write down your password in coded form if you are likely to forget it. For example, if your password is “Ihave3dogs”, write down the names of your dogs as a reminder that your password is based on your pets. Another example, if your password is “L84dinner” and being punctual for dinner is your partner’s worst habit, write down “John’s bad habit” to jolt your memory if you happen to forget your password. However, do not leave the written down password in a place where it could be found easily.
  • Don’t write down your password and put it in an easily accessible location
  • Don’t disclose your password to anyone. If a person requests your password with the excuse that they need it for some RMIT related reason, consult your manager or supervisor immediately. The person requesting the password may not be who they say they are and/or may have mischievous intentions.
  • Don’t use your RMIT password on non-RMIT systems
  • Don’t choose a password that your friends or colleagues could easily guess
  • Don’t choose a password that is a variation of your login account name, surname etc
  • Don’t be complacent with your password – someone may hack into your RMIT account
  • Don’t forget that you are personally responsible for keeping your password a secret
  • Don’t use the example passwords illustrated in these guidelines (eg. GoSaints2012).
  • Don’t use the same password if you have a login account with general access and a separate login account with privileged access

Obtaining a dispensation from the RMIT password standard

The RMIT Password Standard prescribes the minimum password controls for RMIT information systems. However, it is recognized that circumstances may exist where there are valid business or technical reasons why a particular system within the scope of the Standard is unable to comply with one or more of the prescribed password controls. If this is the case, the following procedure is in place to request a dispensation:

Step 1 - The system owner should complete an ITS Password Dispensation form

Step 2 - The system owner should send the completed form as an email attachment to the ITS Security Analyst.

Step 3 - The ITS Security Analyst will review the request and consult the appropriate people. If the form has been completed correctly and the request appears valid, the ITS Security Analyst will endorse the request and forward it to the Deputy Director, ICT Infrastructure Delivery for his written approval.

Step 4 - The ITS Security Analyst will forward a copy of the approved request to the system owner and file the original copy for safe keeping and audit purposes.

Step 5 - The ITS Security Analyst will review each approved dispensation at least annually to determine whether circumstances have changed that would warrant the system owner to resubmit a request for dispensation.

[Next: Supporting documents and information]