The Smith Password Policy and how it relates to
the Campus Policy
We adhere as closely as possible to the
Campus' password policy.
Campus Password Policy
Your University Directory ID is used for most campus systems, including WAM,
Glue/Deans, Mail@umd, UMEG, ARES, Testudo, Timesheets, PHR, etc. The University
Directory ID is also used for the following systems unique to Smith.
In order to comply with state and University System of Maryland security
regulations, new rules went into effect in August 2006 regarding the management
of passwords in the University Directory and the university mainframe system.
Changing your Directory password ONLY affects systems that use the University
Directory for authentication. It does not change passwords associated with other
authentication services (even if you chose to set all of your passwords to be
the same). Examples of systems that DO NOT utilize the Directory include: Novell
or Windows logins and the UMDMVS Mainframe. For additional examples of systems
that do and do not use the Directory password, please visit
If you have setup your computer web browser or e-mail program to remember your
password, you will have to update that information when you change your
password. We recommend that you do not use this feature as your password may
become compromised if your computer is stolen or hacked.
UM Directory Password Expiration
All new UM Directory passwords remain valid for up to 180 days. If you allow
your password to expire, you will be unable to access the many services that
utilize the Directory password. E-mail will be sent to your DirectoryID@umd.edu
address several weeks leading up to your expiration date reminding you to select
a new password. You may want to set a reminder for yourself in case that you
missed the email sent from OIT.
Change your password by visiting
http://www.oit.umd.edu/password/ and clicking the Update Your Directory
Password button at the left of the page (or
Passwords for OIT employees are only valid for 90 days.
If your password does expire before you have an opportunity to change it, you
will be able to use your old password for the sole purpose of selecting a new
Why do I need a strong password?
How long do you think it will take to crack your password? You might be
A hacker can crack a password thats 7 characters long with upper and lower case
letters in only 3 hours with a simple cluster of ordinary computers. But change
some of those 7 letters to numbers and a special character (@#$%&*) and you
increase the time it takes to 8 1/2 days. Increase that password to 8 in length
and the time it takes to crack that password jumps to more than 2 years! Hardly
seems worth the effort.
Check this website for a chart showing how different password combinations stack
(NOTE: The systems they describe as Class "D" are just like the desktops in our
offices, and what they call Class "E" is a cluster of ordinary computers - EASY
for any hacker to throw together.)
another reference regarding the importance of password strength.
Password Quality Checks
A password cannot provide protection if it can be guessed by unauthorized
visitors. Potential attackers can also attempt to utilize every possible
combination of characters in order to break a password. Password composition
rules are chosen to ensure that the number of possible character combinations is
large enough that such an attack cannot be accomplished in a reasonable period
For Directory passwords, the following quality rules are applied:
Additionally, your password choice will be submitted to a program that
determines if your selection is likely to be identified by computer programs
that guess passwords based upon dictionary searches. This includes making simple
substitutions of digits or punctuation that resemble alphabetic characters (such
as replacing the letter S in a common word with the $ symbol).
Beginning in December, another state mandated security feature will be
incorporated to defend against automated programs that attempt to guess
Directory passwords. If someone incorrectly guesses your password six
consecutive times, authentication of your Directory password will be blocked for
the next ten minutes.
Selecting Good Passwords
The password quality checks establish a minimally acceptable level of
password quality. Increasing the length of your password beyond eight characters
markedly increases the security of that password. No matter how complex your
chosen password might be, it will not be a secure password if you write that
password on a post-it note and keep that note where it might be discovered (the
underside of the keyboard is not a secure location).
Take advantage of the fact that the space character is a valid choice (although
not for the first or last character of the password) and create phrases or
sentences. A sentence with punctuation and one or two deliberate typographic
errors will be far easier to remember than eight random characters and (for many
people) will be easier for you to type whenever you need to authenticate.
For additional tips on selecting good passwords, please see the Password
Recommendations page from the OIT Help Desk.
You will receive e-mail warnings as the expiration date for your password
approaches. In order to assure you that messages from OIT regarding your
Directory passwords are legitimate, OIT follows several guidelines regarding
Again, you may want to set a reminder for yourself in case that you miss the
email sent from OIT.