S kip the global header navigation | Ski p the left navigation menu
Thursday, May 26, 2016
    Guest PagesOpen/Close group
    Selecting Passwords - Best Practices


    Selecting a Password - Best Practices

    Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of The University of Tennessee at Chattanooga's systems and data. All users, including Affiliates with access to UTC systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. This document provides best practices for the selection of passwords, passphrases and challenge responses.

    Selecting a Password

    All users at UTC should be aware of how to select strong passwords.

    Strong passwords have the following characteristics:

    • Contain at least three of the five following character classes:
    • Lower case characters
    • Upper case characters
    • Numbers
    • Punctuation
    • “Special ” characters (e.g. ! % * + - / : ? _ )
    • Contain at least eight characters.

    Weak passwords have the following characteristics:

    • The password contains less than eight characters
    • The password is a word found in a dictionary (English or foreign)
    • The password is a common usage word such as:
      • Names of family, pets, friends, co - workers, fantasy characters, etc.
      • Computer terms and names, commands, sites, companies, hardware , software.
      • The words "UTC", "MOCS", "VOLS" or any derivation.
      • Birthdays and other personal information such as addresses and phone numbers.
      • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
      • Any of the above spelled backwards.
      • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
    • Do not resuse or recycle passwords.
    • Do not write down a password.


    Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "A goal without a plan is just a wish ." and the password could be: "@Gw0@p1j@w" or "@GW0@P1J@w" or some other variation.

    Challenge Responses

    Using Challenge Questions and Responses allow the user to reset their password in the event they forget their password without having to contact Client Services. Its important that you protect these questions as you would your own password. If someone can figure out your responses to your questions then you open the door for them to reset your password. So here are some suggestions when it comes to answering your Challenge Questions:

    • Begin and/or end each response with a number, capitalize a letter, or use a special character. For example if your question was "Who is your favorite teacher?", your response could be "23Davis". Next question: "Where did you grow up?" Response: 23Chatt, etc.
    • When you are asked to provide responses to the questions, provide different answers. Example: "Who is your favorite teacher?" Response: Hamburgers, Next Question: "Where did you grow up?" Response: Scrappy, etc.
    • Remember to use strong password recommendations above when setting these responses.
    • You are required to provide your own question and answer to one question. Use same suggestions above in creating both the question and answer.

    Rssources: SANS http://www.sans.org/security-resources/policies/Password_Policy.pdf http://iam.bethel.edu/p.html