Passphrases at Indiana University

Note: Starting on July 27, 2006, UITS began allowing passphrases for authentication. The greater length and flexibility offered by passphrases will result in enhanced security for IU users. For more information, see the Knowledge Base document How are passwords changing at IU?

As of October 26, 2006, IU began requiring all new users, and all other users who choose to change their existing passwords, to set a Network ID passphrase. This will be the passphrase used to access all of your IU accounts online, including email, Oncourse, and SIS. To change your IU Network ID passphrase, visit the Passphrase Maintenance page at:

Note: When you first change your password to a passphrase on this page, you will enter your current password in the box marked "Current Network ID Passphrase".

When choosing an IU Network ID passphrase, follow the requirements below:

Network ID passphrases must:

• Contain at least 15 and no more than 127 characters.
• Use at least four unique characters (letters, numbers, or symbols).
• Use at least four words. "Word" is defined here as two or more distinct letters; words must be separated by one or more non-letters (i.e., hoagy carmichael-on_kirkwood123avenue contains five "words").

Note: In Mac OS X, passphrases for VPN client software are currently limited to 31 characters. This is a problem with Macintosh software, and Apple has not yet announced a date for fixing it.

These passphrases must not:

• Contain your name or username.
• Use the at sign ( @ ), the number sign ( # ), or the double-quote mark ( " ).
• Be a common phrase (e.g., to be or not to be or april showers bring may flowers).
• Be based on predictable patterns (e.g., the alphabet or the layout of a standard keyboard).

Users who still have a Network ID password will be able to continue to use it, in order to give them some time to become accustomed to the change. You are not required to change your password to a passphrase at this time; however, with the greater security afforded by passphrases, you should consider changing as soon as possible.

Note: Passwords and passphrases are case sensitive. The lowercase  c  is a different letter from the uppercase  C . Make sure that the Caps Lock key is not on, unless you intend to enter all uppercase letters.

Hints for creating secure passwords and passphrases

When creating a password or passphrase, consider the following hints to make it both secure and easily memorizable:

• Avoid common phrases, lyrics, or quotations; these can be easy for hackers to guess. However, you can create an acronym from the letters of the words in a phrase or quotation that is memorable to you (e.g., "To be or not to be?" could become 2BRnot2B?).
  
• While randomly selected words will make a stronger passphrase than words typically used together, using your random words in a grammatical English sentence will make the passphrase much easier to remember.
  
• Interleave two words or a word and a number sequence that is meaningful to you, for example, your favorite fruit and a memorable year (e.g., "kiwi" and "1987" could be interleaved as k1i9w8i7 , ki19wi87 , or ki1987wi ).
  
• Deliberately misspell words, or substitute phonetic replacements throughout (e.g., "Mississippi" could become Mrs.Ippi ).
  
• Use a mixture of uppercase and lowercase letters.

Guidelines for keeping your passwords and passphrases secure

• Do not write your username and password or passphrase in the same place.
  
• Never share your password or passphrase with anyone.
  
• Never send anyone your password or passphrase via email (even if the message requesting your password seems official).
  
• Change your password or passphrase every six months.