Introduction

In order to comply with state and University System of Maryland security regulations, new rules went into effect in August 2006 regarding the management of passwords in the University Directory and the university mainframe system.

It is important that you protect your Directory password and not share it with others. When used with your Directory ID, your Directory password provides students access to registration, financial information, grades, and course materials. For faculty and staff, the password is a gateway to your HR records and possibly sensitive information protected by your office. For all, the password prevents your e-mail and files from being read by unauthorized persons and is used online to prove that you are you.

Changing your Directory password ONLY affects systems that use the University Directory for authentication. It does not change passwords associated with other authentication services (even if you chose to set all of your passwords to be the same). Examples of systems that DO NOT utilize the Directory include: Novell or Windows logins and the UMDMVS Mainframe. For additional examples of systems that do and do not use the Directory password, please click here.

If you have setup your computer's Web browser or e-mail program to remember your password, you will have to update that information when you change your password. We recommend that you do not use this feature as your password may become compromised if your computer is stolen or hacked.

Password Expiration

All new passwords remain valid for up to 180 days. If you allow your password to expire, you will be unable to access the many services that utilize the Directory password. E-mail will be sent to your DirectoryID@umd.edu address several times in the weeks leading up to your expiration date reminding you to select a new password. Change your password by visiting password.umd.edu and clicking the Update button at the top of the page (or by visiting https://directory.umd.edu/password).

Passwords for OIT employees expire after 90 days.

If your password does expire before you have an opportunity to change it, you will be able to use your old password for the sole purpose of selecting a new password.

Password Quality Checks

A password cannot provide protection if it can be guessed by unauthorized visitors. Potential attackers can also attempt to utilize every possible combination of characters in order to break a password. Password composition rules are chosen to ensure that the number of possible character combinations is large enough that such an attack cannot be accomplished in a reasonable period of time.

For Directory passwords, the following quality rules are applied:

• A password must be at least 8 and no more than 32 characters in length.
• A password must contain at least one uppercase letter.
• A password must contain at least one lowercase letter.
• A password must contain at least one character from the set of digits or punctuation characters (such as # @ $ & among others).
• A password may not begin or end with the space character.
• A password may not contain more than two consecutive identical characters.
• You may not reuse a password you have already used.

Additionally, your password choice will be submitted to a program that determines if your selection is likely to be identified by computer programs that guess passwords based upon dictionary searches. This includes making simple substitutions of digits or punctuation that resemble alphabetic characters (such as replacing the letter S in a common word with the $ symbol).

Selecting Good Passwords

The password quality checks establish a minimally acceptable level of password quality. Increasing the length of your password beyond eight characters markedly increases the security of that password. No matter how complex your chosen password might be, it will not be a secure password if you write that password on a post-it note and keep that note where it might be discovered (the underside of the keyboard is not a secure location).

Take advantage of the fact that the space character is a valid choice (although not for the first or last character of the password) and create phrases or sentences. A sentence with punctuation and one or two deliberate typographic errors will be far easier to remember than eight random characters and (for many people) will be easier for you to type whenever you need to authenticate.

For additional tips on selecting good passwords, please see the Password Recommendations page from the OIT Help Desk.

Forgetting Your Password

Whenever you update your Directory password, you will have an opportunity to establish or update a set of questions and answers that will be used to validate your identity in the event that you cannot remember your Directory password. Choose questions and answers that you will be able to recall later and note that you will be required to re-enter the answers exactly as you originally typed them. In the event that you do lose your password, simply visit this Web page and click the update button at the top, then select forgot password.

If you forget your password and either haven’t set your challenge questions or have also forgotten your answers, you can also have your password reset by visiting the OIT Help Desk and presenting your university identification card.

E-mail Warnings

You will receive e-mail warnings as the expiration date for your password approaches. In order to assure you that messages from OIT regarding your Directory passwords are legitimate, OIT follows several guidelines regarding these messages:

• Messages will include your name and not a generic term, such as "user" or "customer."
• Messages will not include active Web links (you should never click a link in an unsolicited e-mail message). Legitimate messages will always refer you to the OIT Password Web site at password.umd.edu.
• Messages will include a PGP signature which can be validated with appropriate software. A copy of the public key is available on this Web site.

Questions

If you have any questions about this information, please contact the OIT Faculty/Staff Help Desk at 301.405.1500 or the OIT Student Help Desk at 301.405.1400 between the hours of 8 a.m. and 6 p.m., Monday through Friday.