Password Complexity Policy

The weakest link in ILR's computer security efforts is your password. Although we spend lots of time protecting computers and servers against hackers, one of the biggest security holes is easily-guessed passwords. A basic password-cracking program can deduce a dictionary or name-based password in seconds.

How to change your password

Many people do not feel that their password is important because they do not think that their data is important or of value to anyone else. There is more at stake than just your personally owned data. Once someone has access to your password, they can gain access to all of your personal documents and email stored on your computer. They could install software on your system and use it and your bandwidth to illegally distribute protected/copyrighted materials. They could gain access to all shared files on network servers where information is stored that is protected by Federal privacy laws and by Cornell privacy policies. The responsibility for security of data begins at the source, which could be you, and extends all the way to deans and the President of the university.

To protect you and the University from unauthorized access to institutional resources and data, ILR has implemented a strict password checking system for Windows domain accounts. Each time you open a new account or change (reset) your password, this system will prevent you from setting a password that is easily cracked.

Your ILR computer account password must meet the following requirements:

  • is at least 8 characters
  • has not been used in the previous 5 passwords
  • is at least 1 day old
  • is not older than 183 days
  • contains at least three of the following four character groups:
    • English uppercase characters (A through Z);
    • English lowercase characters (a through z);
    • Numerals (0 through 9);
    • Non-alphabetic characters (such as !, $, #, %, a space)
  • is not your login id, first or last name
  • is not a common English dictionary word five or more characters in length, spelled forwards or backwards. The dictionary contains over 1.4 million words and includes words peculiar to ILR.
  • is not a dictionary word followed by and/or preceded by 1 or 2 characters
  • is not a dictionary word with the following letter substitutions: $=s, 4=h, 2=a, 3=e, 0=o, 1=l, 1=i
  • NOTE: Dictionary words that are four or fewer characters are allowed. The dictionary word limitations above are bypassed for passwords that are 14 or more characters long (i.e. passphrases are allowed)
  • 25 invalid login attempts within a 10 minute period will result in your account being locked for 15 minutes. After the 15 minute timeout, accounts are automatically unlocked and the login attempt counter and timer are reset.

The 1 day minimum age helps enforce the password history restriction. Without a minimum password age, you would be able to cycle through passwords repeatedly until you get back to an old favorite. The one day minimum age means that it would take 5 days to do it. Password rules will be implemented which will force you to change your password every 183 days (6 months).

Your ILR domain password should be different from the one used to protect your Cornell NetID ( email address) account.

Below are some examples of both valid and invalid passwords:

snow Invalid because it is a dictionary word, does not contain at least seven characters and contains only lower case letters.
Snow1234 Invalid because it contains a single dictionary word followed by a series of characters.
Snow 1234 Valid, since introducing a space lets you use the dictionary word. However, this is not a particularly strong password.
snowisfun Invalid because it only contains lower case letters.
ILikeSnow Invalid because it only contains 2 of the 4 character classes, lowercase and uppercase characters.
ILikeSn0w Valid, since it contains 3 of the 4 character classes: lowercase characters, uppercase characters, and a number (the o has been replaced with a zero). This password is good because of its length, but is not especially strong because of the use of some dictionary words.
I Like snow! Valid, since it contains uppercase, lowercase, numeric, and a special character. Passwords can contain spaces. Length good, strength is okay.
Lis12"om (short for "Let it snow twelve inches or more") Valid, since it contains uppercase, lowercase, numeric, and a special character. This is a strong password and would be difficult to crack.
snwstrm(2004) ("snowstorm(2004)") with vowels removed) A strong, valid password since it contains lowercase, numeric, and special characters and no dictionary words.