Standard Presented for 30-Day Review
This IT standard has been developed by the IT Policy Committee (ITPC) and is being submitted for comment and review.
The comment period ends on noon, January 15, 2021
Comments may be directed to: IT-POLICY-ADM@LISTS.UPENN.EDU
DRAFT- IT Security Standards
1 PennName
1.1 Structure of PennName
1.1.1 A PennName has the following characteristics:
- Length
- A PennName has a minimum of two characters.
- A PennName has a maximum of eight characters.
- Alphabet
- A PennName may contain the lowercase letters a through z.
- A PennName may contain numerics 0 through 9.
- No other characters are permitted.
- Structure
- The first character must be an alpha.
2 Strong Authentication
2.1 Passwords
2.1.1 Complexity Standard
2.1.1.1 Where password construction constraints permit, passwords should be constructed using the following criteria in order to be designated as "Strong Passwords":
- 20 or more characters in length (passphrases) - constructed using any character class combination
- 16 - 19 characters in length ? must contain characters from at least 2 of the 4 character classes
- 12 - 15 characters in length - must contain characters from at least 3 of the 4 character classes
- 8 - 11 characters in length - must contain characters from at least 3 of the 4 character classes
where the four character classes consist of caps, lower-case letters, numbers and symbols.
2.1.1.2 PennKey password complexity is established as follows (consistent with the preceding standard):
- 20 or more characters in length (passphrases) - constructed using any character combination
- 16 - 19 characters in length - must contain caps and lower-case letters
- 12 - 15 characters in length - must contain caps, lower-case letters and numbers
- 8 - 11 characters in length - must contain caps, lower-case letters, numbers and symbols