Password Policies


The Smith Password Policy and how it relates to the Campus Policy

We adhere as closely as possible to the Campus' password policy.

Campus Password Policy

Your University Directory ID is used for most campus systems, including WAM, Glue/Deans, Mail@umd, UMEG, ARES, Testudo, Timesheets, PHR, etc. The University Directory ID is also used for the following systems unique to Smith.

In order to comply with state and University System of Maryland security regulations, new rules went into effect in August 2006 regarding the management of passwords in the University Directory and the university mainframe system.

Changing your Directory password ONLY affects systems that use the University Directory for authentication. It does not change passwords associated with other authentication services (even if you chose to set all of your passwords to be the same). Examples of systems that DO NOT utilize the Directory include: Novell or Windows logins and the UMDMVS Mainframe. For additional examples of systems that do and do not use the Directory password, please visit here.

If you have setup your computer web browser or e-mail program to remember your password, you will have to update that information when you change your password. We recommend that you do not use this feature as your password may become compromised if your computer is stolen or hacked.

UM Directory Password Expiration

All new UM Directory passwords remain valid for up to 180 days. If you allow your password to expire, you will be unable to access the many services that utilize the Directory password. E-mail will be sent to your DirectoryID@umd.edu address several weeks leading up to your expiration date reminding you to select a new password. You may want to set a reminder for yourself in case that you missed the email sent from OIT.

Change your password by visiting http://www.oit.umd.edu/password/ and clicking the Update Your Directory Password button at the left of the page (or https://directory.umd.edu/password).

Passwords for OIT employees are only valid for 90 days.

If your password does expire before you have an opportunity to change it, you will be able to use your old password for the sole purpose of selecting a new password.

Why do I need a strong password?

How long do you think it will take to crack your password? You might be surprised.

A hacker can crack a password thats 7 characters long with upper and lower case letters in only 3 hours with a simple cluster of ordinary computers. But change some of those 7 letters to numbers and a special character (@#$%&*) and you increase the time it takes to 8 1/2 days. Increase that password to 8 in length and the time it takes to crack that password jumps to more than 2 years! Hardly seems worth the effort.

Check this website for a chart showing how different password combinations stack up.
http://www.lockdown.co.uk/?pg=combi&s=articles
(NOTE: The systems they describe as Class "D" are just like the desktops in our offices, and what they call Class "E" is a cluster of ordinary computers - EASY for any hacker to throw together.)

Here is another reference regarding the importance of password strength.

Password Quality Checks

A password cannot provide protection if it can be guessed by unauthorized visitors. Potential attackers can also attempt to utilize every possible combination of characters in order to break a password. Password composition rules are chosen to ensure that the number of possible character combinations is large enough that such an attack cannot be accomplished in a reasonable period of time.

For Directory passwords, the following quality rules are applied:

  • A password must be at least 8 and no more than 32 characters in length (users of the CorporateTime/Oracle calendaring system should currently limit their password to 15 characters).
  • A password must contain at least one uppercase letter.
  • A password must contain at least one lowercase letter.
  • A password must contain at least one character from the set of digits or punctuation characters (such as # @ $ & among others).
  • You may not reuse a password you have already used.

Additionally, your password choice will be submitted to a program that determines if your selection is likely to be identified by computer programs that guess passwords based upon dictionary searches. This includes making simple substitutions of digits or punctuation that resemble alphabetic characters (such as replacing the letter S in a common word with the $ symbol).

Beginning in December, another state mandated security feature will be incorporated to defend against automated programs that attempt to guess Directory passwords. If someone incorrectly guesses your password six consecutive times, authentication of your Directory password will be blocked for the next ten minutes.

Selecting Good Passwords

The password quality checks establish a minimally acceptable level of password quality. Increasing the length of your password beyond eight characters markedly increases the security of that password. No matter how complex your chosen password might be, it will not be a secure password if you write that password on a post-it note and keep that note where it might be discovered (the underside of the keyboard is not a secure location).

Take advantage of the fact that the space character is a valid choice (although not for the first or last character of the password) and create phrases or sentences. A sentence with punctuation and one or two deliberate typographic errors will be far easier to remember than eight random characters and (for many people) will be easier for you to type whenever you need to authenticate.

For additional tips on selecting good passwords, please see the Password Recommendations page from the OIT Help Desk.

E-mail Warnings

You will receive e-mail warnings as the expiration date for your password approaches. In order to assure you that messages from OIT regarding your Directory passwords are legitimate, OIT follows several guidelines regarding these messages:

  • Messages will include your name and not a generic term, such as "user" or "customer."
  • Messages will not include active Web links (you should never click a link in an unsolicited e-mail message). Legitimate messages will always refer you to the OIT Password Web site at password.umd.edu.
  • Messages will include a PGP signature which can be validated with appropriate software. A copy of the public key is available on this Web site.

Again, you may want to set a reminder for yourself in case that you miss the email sent from OIT.