Directive on the use of passwords at the University of Basel
Resolution of the IT Steering Committee of 08.02.2012 (last amendment 25.03.2014); supplemented due to security requirements in the minimum password length to 12 characters by IT Services on 04.11.2020.
Personal passwords are the key to many IT resources of the University of Basel. In the wrong hands, they lead to a variety of misuses such as copyright infringement, espionage and identity theft. Passwords must therefore be kept confidential, changed regularly and stored securely.
§1. It is strictly forbidden to pass on or publish personal passwords.
§ 2. passwords that are too simple can easily be guessed or calculated. Passwords must therefore at least meet the following criteria:
- The password must not contain any parts (greater than two characters) of the user's last name, first name or account name.
- The password must be at least 12 and at most 40 characters long.
- Last passwords must not be used and "?" and "!" must not be the first character.
- The password must not contain a space.
- The password must contain characters from three of the following character classes:
- Uppercase letters: ABCDEFGHIJKLMNOPQRTSUVWXYZ
- Lower case letters: abcdefghijklmnopqrstuvwxyz
- Numbers in base 10: 0123456789
- Non-alphanumeric characters: ! @ # ^ * _ - + = \ ( ) : ; , . ? /
These criteria are subject to change at any time without notice for security reasons.
Each time a password is changed, the IdM checks how many changes have been attempted within the last 24 hours. If more than 10 changes are made, the access authorization is deactivated for security reasons. Affected users can contact the ITS Service Desk with a passport or ID to be unlocked.
Passwords should be chosen so that they do not need to be written down, despite the complexity requirements. It is recommended that password recovery is also enabled in Viaweb.
§ 3. passwords must be changed regularly.
A password is valid for 12 months. Before the expiration of the validity, the user will receive reminder e-mails that the password must be changed. If the password is not changed by the time it expires, access to university resources will be blocked until the password is changed. It is still possible to change the password independently.
Furthermore, it is the user's responsibility to change the password if misuse of their own account is suspected or after use in untrusted locations such as internet cafes.