Password Best Practices

Summary

This article contains the best practices regarding passwords.

Body

Summary

This article contains the best practices and FAQs regarding passwords at USNH in accordance with USNH Password Policy.

 

Content

Password Do's and Don'ts

Do's

  1. Use strong passwords.
  2. Use a different password for each account, even for USNH accounts that use the same username.
  3. Use Windows Hello sign-in features, such as PIN, Face ID, and Fingerprint recognition. 

 Don'ts

  1. Don't share your passwords with anyone, ever.
  2. Don't write your username and password on a post-it note under your keyboard or on your monitor.
  3. Don't write down your username and password in the same place, or at all.
  4. Don’t use iterative passwords (JohnDoe1, JohnDoe2, etc.)
  5. Don’t use easily guessed password schemes (numbers or special characters used only at the beginning or end like 11Aloha, 1Aloha1, Aloha11, Aloha!!, !!Aloha)


Methods for Creating a Strong Password

To protect your information and the University, create a strong, unique password for each account you use at USNH.  Strong passwords have the following characteristics:

  • Length: Use a password that is 15-64 characters. The longer, the stronger!
  • Passphrase: Use a passphrase that combines several words into a phrase that is easy for you to remember like "I love mt chocorua" or "ilovemtchocorua". A 15 character passphrase is easier to remember than a password.
  • Use the Entire Keyboard:  Using uppercase and lowercase letters, numbers, and symbols increases the complexity and therefore the strength of a password. You can strengthen the passphrase above by injecting this kind of additional complexity "ILoV3MtC[]c0ra".
  • Avoid Dictionary Words or Popular Phrases: Avoid using words found in the dictionary as part of your password or passphrase.  For example, in the example above, removing the spaces and changing the "e" in love to a "3" allows use of the word "love" without actually using the word as it would be found in the dictionary. Avoid using common or popular phrases which are easily guessed (IE: "May the force be with you",)
  • Banned passwords: USNH relies on a custom banned password list and Microsoft's Global Banned Password list to prevent the use of compromised or easily guessed passwords.

See CISA's Choosing and Protecting Passwords  website for additional password advice.*

* This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the US Cybersecurity & Infrastructure Security Agency (CISA)  at https://www.cisa.gov/ .

Password FAQ

General Questions

Q: Why is there a new password policy?

A: The new policy ensures that passwords used at USNH institutions are strong, secure, and aligned with best practices from organizations like the National Institute for Standards and Technology (NIST) and the Center for Internet Security (CIS). This helps protect university systems and data from unauthorized access.

Q: Who does this policy apply to?

A: The new policy applies to everyone who has access to USNH systems—including students, faculty, staff, vendors, and third-party organizations.

Password Security

Q: When do I need to change my password?

A: Regular users are not required to change passwords on a fixed schedule. Passwords will only need to be changed:

  • If there's evidence of compromise or if they don't conform to policy.
  • If you’re notified by USNH ET&S that you must change it.
  • If your password has expired -- you’ll lose access until it’s updated.
  • If you have an Administrator account, the password must be changed every 365
  • If you use an account to process a payment card (PCI), the password must change every 90 days.

Q: How should I handle my password securely?

A: Handling passwords securely is crucial to protect sensitive information and prevent unauthorized access to your personal or institution data. You should:

  • Never write it down, share it, or send it in email/chat.
  • Not store your password in a web browser using “Remember Password.”
  • Avoid saying it aloud or transmitting it unencrypted.
  • Use only secure tools to share passwords if you are an admin.
  • Store critical passwords (e.g., system or root accounts) in an enterprise password vault. For more information on the USNH BeyondTrust Password Safe, please review this article - https://td.usnh.edu/TDClient/60/Portal/KB/ArticleDet?ID=4939.

Q: What if I forget my password?

A: You can reset your password using USNH-approved processes. The new policy no longer allows security questions like "What was your first pet's name?" for password resets. For more information, please review this article - https://td.usnh.edu/TDClient/60/Portal/KB/ArticleDet?ID=4691.

  • Your account may be locked while it is secured, and your identity is verified.
  • A password reset will be required before you can regain access.

Q: How is USNH ET&S protecting accounts?

A: USNH ET&S restricts the number of failed login attempts that can be made within a certain time frame to stop account guessing.

  • Most accounts are limited to100 consecutive failed attempts before lockout.
  • Accounts that process payment cards are limited to 10 consecutive failed attempts before lockout.

Policy Enforcement

Q: What happens if I don’t follow the password policy?

A: Failure to comply with the password policy may result in disciplinary action according to USNH student conduct policies, personnel policies, or vendor contracts. The USNH CISO or CIO may also take necessary actions to mitigate security risks.

Q: Are there exceptions to the password policy?

A: Yes. Exceptions must be formally requested and approved according to the USNH Cybersecurity Exception Standard. https://td.usnh.edu/TDClient/60/Portal/KB/ArticleDet?ID=5027

Q: Who’s responsible for enforcing this policy?

A: Enforcing the password policy is a shared responsibility to ensure the security and integrity of USNH systems and data.

  • Application Admins are responsible for ensuring that systems comply with the established password policy.
  • The CIO and CISO oversee the enforcement of the policy and conduct annual reviews to ensure its effectiveness.
  • Enterprise Technology & Services (ET&S) sends notifications, resets passwords when needed, and provides support to users.
  • All USNH Community Members must follow the policy, use strong passwords, and report any suspicious activity.

Q: Where can I find definitions for technical terms?

A: Refer to the NIST Glossary: https://csrc.nist.gov/glossary/term/NIST

Further Readings

USNH Password Policy 

CISA's Choosing and Protecting Passwords 

Cybersecurity & Infrastructure Security Agency (CISA) 

 

Need additional help?

Contact USNH Cybersecurity Governance, Risk, & Compliance (GRC) via the [Support Form] found here - https://td.usnh.edu/TDClient/60/Portal/Requests/ServiceDet?ID=172 for questions, additional training, or to report policy violations.

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.  

Details

Details

Article ID: 720
Created
Fri 7/19/19 5:33 PM
Modified
Tue 7/22/25 12:01 PM
Applicable Institution(s):
Keene State College (KSC)
Plymouth State University (PSU)
University of New Hampshire (UNH)
USNH System Office