Student studying in greenhouse

Password Policy

1.0 Overview

Passwords are a vital aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password can compromise Hampshire College's data systems and services. As such, all users (including contractors and vendors with access to Hampshire College's systems) are responsible for taking the appropriate steps, outlined below, to select and secure their passwords.

2.0 Purpose

The purpose of this policy is to establish standards for the creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes users who meet any of the following criteria:

  • Users responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Hampshire College facility
  • Users with access to Hampshire College's network
  • Users who store any non-public Hampshire College information.

4.0 Policy

4.1 General

  • Change your passwords periodically.
  • The frequency of password change is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their passwords changed more frequently.
  • The required interval for password changes is once every year.
  • If your password has been compromised or you suspect it's been compromised, change your password immediately. Change your password by visiting and contact the helpdesk at
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • All user-level and system-level passwords must conform to the guidelines described in Hampshire College Password Guidelines. Please see addendum for additional information regarding these guidelines.

4.2 Password Protection Standards

Password protection is a vital part of any security plan please observe the following standards:

  • Do not use the same password for Hampshire College accounts as for other non-Hampshire College accounts, such as personal ISP account, benefits, banking, and other accounts..
  • Do not share Hampshire College passwords with anyone, including administrative assistants or secretaries.
  • All passwords are to be treated as sensitive Hampshire College information.
  • When IT works on your computer, please arrange to be available to type in your password as needed. If that is not possible, change your password immediately before and after the work is done.

Good practices to follow:

  • Don't reveal a password over the phone to ANYONE
  • Don't reveal a password in an email message to ANYONE
  • Don't reveal a password to a supervisor
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms to ANYONE
  • Don't share a password with family members
  • Don't reveal a password to co-workers (e.g., when going on vacation or leave of any kind)
  • Don't use the "Remember Password" feature of applications.
  • Don't store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

If someone demands a password, refer that person to this document or have him or her call a staff member of the information technology department.

Again, do not write passwords down and store them anywhere in your office. Password cracking or guessing may be performed on a periodic or random basis by IT or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

5.0 Enforcement

Any employee found to have violated this policy maybe subject to disciplinary action, up to and including termination of employment.

General Password Construction Guidelines

Passwords are used for various purposes at Hampshire College. Some of the more common uses include user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords that are only used once), everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

  • The password contains less than seven characters
  • The password is a word found in a dictionary (English or foreign)
  • The password is a common usage word such as names of family, pets, friends, co-workers, fantasy characters, etc.
  • Computer terms and names, commands, sites, companies, hardware, software.
  • The words "Hampshire College" or "Hamp" or any such derivation.
  • Birthdays and other personal information, such as addresses and phone numbers.
  • Word or number patterns such as aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above, preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

  • Contain both upper and lower case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
  • Are greater than seven alphanumeric characters long and are a passphrase (Ohmy1stubbedmyt0e).
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.

Passwords should never be written down or stored online. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

NOTE: Do not use either of these examples as passwords!

Stay In Touch
With Information Technology Staff
Snail Mail
Information Technology
Hampshire College
893 West Street
Amherst, MA 01002