What are the requirements?
If a password fails to meet the requirements below, the password will not be set. The password policy is enforced by the Microsoft operating system on the servers.
Passwords must be at least 6 characters and include at least 3 of the following:
- A lower case letter [a-z]
- An upper case letter [A-Z]
- A number [0-9]
- A symbol [! $ # % } < ...]
Passwords must not contain 3 or more consecutive letters from the organisation name, email address, or display name.
Additionally, please note that our Hosted Desktop clients cannot recycle or rotate passwords - new passwords cannot be set to an earlier password - over several months. Passwords also expire every 42 days.
There is a minimum password age of 48 hours before it can be changed, passwords can not be quickly re-changed within this time without contacting support.
Why must passwords be strong?
Strong passwords are a vital part of the enterprise security solution we provide. The security of the system is maintained by following the industry best practice for setting and managing passwords. We require our clients to set strong passwords and keep passwords secure to safeguard the data and system against malicious hackers.
How do hackers hack accounts?
Hackers primarily rely upon two techniques to hack into accounts.
- "Dictionary": automated software scan for any passwords consisting of words in the English dictionary.
- "Brute force": automated software attempt various permutations of characters until one is successful.
Therefore, the following factors are critical in any password policy:
- Validity period
How do strong passwords defend against hackers?
Strong passwords mitigate hackers' brute force efforts. The required password structure means that there are 94 candidate characters [26+26+10+32] and nearly 7 billion permutations over 6 characters. A hacker would need to generate over 190,000 attempts every second over the password's lifetime of 42 days.
To defend against dictionary-based hacking, the password should not consist of predictable text strings. For example, do not include birthdays, car license plate numbers, number sequences, dates, names of spouses or children, unless unrelated characters are interspersed in the password.
Keeping passwords secure thwarts hackers' attempts with social engineering tactics. Passwords should not be revealed to any third party, and please resist the temptation to write your current password on a sticky note and attaching it to your computer screen.
To reduce a hacker's "window of opportunity", a password expiry, lockout time and non-rotation policy are enforced. If an invalid password is entered more than three times consecutively, the account will be locked out for 15 minutes. Passwords must not be identical or similar to earlier passwords, as this extends the period of time available to a hacker to "discover" a password.