The Tech office encourages users to use a strong passphrase. A passphrase is a password made up of a sequence of words with letters, numbers, and special characters inserted throughout. Passphrases typically have additional benefits such as being longer and easier to remember. For example, the passphrase “My passw0rd is $uper str0ng!” is 28 characters long and includes letters, numbers, and special characters. It is also relatively easy for the individual to remember. It is important to note the placement of numeric and symbolic characters in this example - this prevents multiple words from being found in a standard dictionary. The use of blank spaces also makes a pass-phrase more difficult to guess.

General Passphrase Construction Guidelines

A strong pass-phrase includes:

1. 10+ characters/3-4+ words or more

2. Uppercase letter characters (a b c d …..)

3. Lowercase letter characters (a b c d …..)

4. Numbers (0 through 9)

5. Non-alphanumeric characters (@ % ^ * ! ? etc)

6. Do not include the user's first or last name or a sequence of numbers

There may be some variation on the above to take account of our younger AISJ student users.

Further guidance in developing a strong pass-phrase:

● Be creative. Make it personal to you.

● Use words from a poem, a line from a song, or a familiar quote with lots of substitutions! (e.g., Gr3en EGg$ @Nd H@mmy!)

● Select a pass-phrase that is 10+ characters and 3-4+ words long

● Stay away from common phrases or quotes if not using substitutions

● Mix short and long words and remember that sentences need not be intelligible

● Character substitutions and/or misspelling strengthen the pass-phrase

● Mix languages

● Exclude some of the spaces between words.

Passphrase requirements for different divisions

a. ES Students:

● 6 characters for Prek - Grade 4

● 8 characters for Grade 5

● No Complexity for Prek - Grade 4

● Grade 5, Complexity – 3 of the 4 – Uppercase letter, lowercase letter, number, special character

● Cannot include user's first or last names, or sequential numbers

● Maximum of 8 attempts before locking out – 15-minute lockout

● Change every 365 days

● Cannot use the last 5 pass-phrases

b. MS/HS Students, faculty, staff, employees, and all non-ES student account holders:

● 8 character minimum

● Complexity – 3 of the 4 – Uppercase letter, lowercase letter, number, special character

● Cannot include user's first or last names, or sequential numbers

● Maximum of 8 attempts before locking out – 15-minute lockout

● Change every 365 days

● Cannot use the last 5 pass-phrases

c. High-security AISJ account holders – all Technology, Finance, HR, Security, Operations Managers employees:

● 10 character minimum

● Complexity – 3 of the 4 – Uppercase letter, lowercase letter, number, special character

● Cannot include user's first or last names, or sequential numbers

● Maximum of 8 attempts before locking out – 30-minute lockout

● Change every 120 days

● Cannot use the last 6 pass-phrases

d. System Admin accounts – Technology Office senior engineers:

● 12 character minimum

● Complexity – 3 of the 4 – Uppercase letter, lowercase letter, number, special character

● Cannot include user's first or last names, or sequential numbers

● Maximum of 5 attempts before locking out – 60-minute lockout

● Change every 90 days

● Cannot use the last 10 pass-phrases

Password Protection Standards

● Always use different passwords for AISJ accounts from other non-AISJ access (e.g., personal ISP account, option trading, benefits, etc.).

● Always use different passwords for various AISJ access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, ActiveDirectory, etc.) for authentication and another for locally authenticated access.

● Do not share AISJ passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential AISJ information.

● Passwords should never be written down or stored online without encryption.

● Do not reveal a password in email, chat, or other electronic communication.

● Do not speak about a password in front of others.

● Do not hint at the format of a password (e.g., "my family name")

● Do not reveal a password on questionnaires or security forms

● If someone demands a password, refer them to this document and direct them to the TECH department for Information Security.

● If an account or password compromise is suspected, report the incident to the TECH department for investigation.