We’ve experienced some pushback regarding the new Password Complexity Policy effective last Wednesday. Resisting change is perfectly natural, but I think the recent objections are primarily rooted in misunderstanding. Yes, the new policy requires a bit more attention on your part, but it’s truly not as bothersome as it’s being made out to be, and I suspect in a few weeks you’ll barely remember the transition. Let’s go over the new policy one more time.
Passwords must be 12 characters or longer and must contain at least six of the following seven types of characters:
- English uppercase letters: A, B, C … Z
- English lowercase letters: a, b, c … z
- Arabic numerals: 0, 1, 2 … 9
- Non-alphanumeric special characters: !, @, # … $
- Wingdings: a, b, c … z
- Japanese kanji characters: (To view these, consult your Microsoft Office Language Settings Help Guide)
- Original bitmap drawings created in a graphics program, converted into typeface characters, and uploaded to the corporate-network font library
Including these characters is a great start, but it’s even more crucial to avoid words and numbers predictable to a password generator or someone familiar with your personal information. Therefore, in accordance with the new policy, passwords must not contain:
- Repeating characters, e.g., “AbbC” or “aOOO”
- Number sequences based on birthdays, anniversaries, addresses, phone numbers, jersey numbers of childhood sports heroes, prime numbers, or perfect squares
- Names of pets, schools, businesses, works of art, people you know, have known, or would like to know, things you own or lease, locations you’ve lived in or have considered visiting, or any concrete noun you’ve ever said in conversation
And that’s it. Aside from these simple requirements, you’re free to pick any password you want! See, I told you it’s not so bad, and I hope whoever sent those vaguely threatening e-mails to the Help Desk last week considers an apology. In fact, you could say the new policy makes password creation a more imaginative exercise. Have fun with it!
Here’s a sample password that meets the new requirements:
(This password is for example purposes only and cannot serve as your personal password.)
Of course, just because a password meets minimum requirements doesn’t mean it’s as secure as it could be. To help you test proposed passwords, we’ve created the Password Evaluator, which can assess your password’s security strength as you type it. I see many of you have taken advantage of it already. Fantastic! Also, to whoever keeps entering “IHopeYouPeopleRotInHell” into the Password Evaluator, let me assure you that that password is not very strong at all. For starters, it doesn’t even have a Wingding.
Once you’ve decided on a valid password with a high security rating from the Password Evaluator, spend a few seconds committing it to memory and then destroy any written record of it. Voilà, you’re done. Then you can sit back and forget about this password business for a whole two weeks, at which point your password will expire and you’ll need to create a brand-new one.
A final note: It’s very time-consuming for us to reset accounts for employees who’ve forgotten their passwords, so don’t forget the cardinal rule of password creation: Choose something easy for you to remember!
Thank you for your cooperation.
Corporate Information Security