Password Policy

On December 4, 2017, ITS implemented two new password policies at the direction and with the support of the Technology Priorities and Planning Committee (TP&PC). The new policies reflect a growing campus-wide commitment to two-factor authentication as an essential part of our overall security posture, and are intended to make it easier for community members who choose to opt-in to Duo to manage their Carleton password over time, while preserving an essential minimum security standard for those who prefer not to enroll in two-factor authentication.

One of the two policies below will applies to your account, depending on whether or not you have enrolled in two-factor authentication via Duo. Password policy is applied at the time that you change your password, and is not retroactive. If you choose to opt-in to Duo and set a password according to the less restrictive policy, you will be required to change that password if you choose to opt-out of Duo thereafter. Carleton faculty, staff, and current students (except for the class of 2018) are required to use Duo and are subject to Policy 1 below.

Policy 1 (with Duo enrollment):

  • Never expires (no annual forced reset).
  • 12 characters minimum.
  • No complexity requirements (special characters, etc).
  • Minimal blacklist of disallowed terms to prevent easily-guessable passwords.

Policy 2 (no Duo enrollment):

  • Annual expiration.
  • 12 characters minimum.
  • Subject to complexity requirements:
    • At least one capital letter.
    • At least one number.
    • At least one special character or symbol.
  • Minimal blacklist of disallowed terms to prevent easily-guessable passwords.