Information Security Central - June Edition

​Updates to password complexity

On June 15, 2017, OIT implemented new password complexity requirements for CMU Global IDs. We made these changes in response both to your feedback as well as to modern security trends. Now your password can be both more secure and simpler to type in on mobile devices, because the longer you make your password, the less strict the complexity requirements become.

Here are the new requirements:

  • Passwords of 8 - 11 characters: Mixed-case letters with numbers and symbols
  • Passwords of 12 - 15 characters: Mixed-case letters with numbers
  • Passwords of 16 - 19 characters: Mixed-case letters
  • Passwords of 20 - 29 characters: No requirements aside from length
NOTE: Due to technical limitations, passwords cannot contain more than 29 characters.

Why change the password complexity?

Our previous password complexity requirements were last updated in 2010. Since that time, smart phones have obviously exploded in popularity, bringing a greater need to accommodate touchscreen typing. Our previous complexity requirements simply weren't up to the task, necessitating cumbersome touchscreen juggling to get back and forth between letters, numbers, and symbols. Now, if you make your password 20 or more characters, it's both more secure and simpler to type in on mobile devices.

Of course, security standards change over time, as do common attack vectors used by scammers to compromise accounts. Making it easier for the CMU community to use longer, more secure passwords helps ensure that passwords are tougher to guess or crack.

On top of that, the new requirements allow sufficiently long passwords to instead be replaced with "pass phrases," longer passwords that consist of multiple words. This makes the password difficult to guess but easy to remember.