Compliance & Policies

Password Guidelines

The minimum baseline password standard for computer systems at Washington University in St. Louis requires that:

  • Passwords be at least five characters in length and sufficiently complex
  • Passwords change at least every 90 days
  • Security software disables and revokes passwords following no more than eight unsuccessful logon attempts
  • Security software disallows the reuse of passwords for five generations or more
Where software permits:
  • Require that files containing passwords are one-way encrypted.
  • Require passwords to be entered in nondisplay fields.
  • Set the initial passwords (issued by the system administrator) to be valid for one logon only, and require a forced password change following the initial logon.
Approved by the Washington University Board of Trustees Audit Committee December 3, 2004; revised July 11, 2006 per PWC.