UNMC to implement new password security procedure

In coordination with HIPAA regulations and improving security for information technology resources, a new password security procedure is being implemented at UNMC.

Using strong passwords is important because they are the entry point to UNMC's IT resources, campus officials said. Misused or stolen passwords can give intruders access to not only these resources, but also to employees' personal information.

"The policy applies to all computer systems, including network log-in, Lotus Notes and any other software that our employees utilize," said Sharon Welna, associate director of Information Technology Services at UNMC. "We'll phase-in the procedure to change passwords, and we'll work with departmental IT system administrators to make sure that all employees have assistance in changing their passwords."

Welna said the policy needs to be implemented campus-wide by March 17, 2003. The following password regulations are part of the new security procedure.

-- All passwords will be changed every six months.

-- Passwords should have at least seven characters, with at least one alphabetic and one numeric character. (Notes requires eight characters)

-- Passwords should contain at least one lower case and one upper case alphabetic character.

Weak passwords can easily be guessed, Welna said. The following are examples of weak passwords and should not be used:

-- Words in a dictionary

-- Derivatives of user ids

-- Common character sequences such as 123456

-- Personal details such as spouse's name, license plate, social security number or birthday unless accompanied by additional unrelated characters

-- Any part of speech including proper names, geographical locations, common acronyms and slang.

It is recommended to use a "pass phrase" rather than a "password." An example of a pass phrase would be "Nolv4me". Additional tips for developing a strong password that is easy to remember and instructions on changing passwords can be found at: http://info.unmc.edu/helpdesk/password_links.htm