MIT strengthens network password requirements

Stronger Kerberos password rules and password expiration policies now tied to annual certificate renewal process


As part of a broad effort to strengthen campus security, MIT is taking steps to provide the community with a more secure network environment. This includes:

  1. Implementing stronger Kerberos password requirements
  2. Implementing password expiration policies and tying them to the certificate renewal process

What Does This Mean to You?
New Kerberos passwords/passphrases must be significantly stronger than was previously required.

When it's time to renew your MIT certificates (which expire on July 31):

  • If your current password is more than a year old, you'll be required to change it before a new certificate can be created (NOTE: The certificate renewal system will let you know if this is required.)
  • Don't wait until July 31 to renew your certificate and change your password. Given the new password strength requirements, we recommend that you review rules and suggestions for creating strong passwords before renewing your certificate.

Why Are We Doing This?
Poorly chosen passwords significantly increase the risk of unauthorized access to and/or exploitation of MIT's resources. All users, including contractors and vendors with access to MIT's systems, are responsible for taking appropriate steps to select and secure their passwords.

We seek to establish some standards for creating strong passwords, protecting those passwords and ensuring that they are frequently changed (annually). The password expiration policy change is now linked to the certificate renewal process to combine these annual tasks and simplify the process.

Passwords vs. Passphrases
Another option is to use "passphrases" which are typically longer, but easier to remember than complex passwords and if well-chosen can provide superior protection against hackers. While the system will enforce a 6-character minimum password, we recommend passphrases (i.e., more than one word strung together) at least 15 characters in length (spaces count as characters).

While passphrases may look simple, their length translates into so many possible permutations that a typical password-cracking program will not be effective. That said, it is always a good thing to disguise this simplicity with elements of weirdness, nonsense or randomness. For more details on creating strong passwords and passphrases, see the Strong Password page in the Knowledge Base.

Questions about changes to the policy should be directed to cybersecurity-questions@mit.edu. If you or your colleagues are having trouble with certificate renewal or the password-changing process, contact the IS&T Help Desk at helpdesk@mit.edu or 617-253-1101.


Topics: Faculty, Information Systems and Technology, Staff, Web security

Back to the top