Password Restrictions

The following restrictions will apply to all normal, name-based NetID accounts:

  • Maximum duration (before password expires): 180 days since last change or reset
  • Days warning before expiration: 30
  • Warning page auto-redirects after few seconds: Force user to click “Update password” or “Ignore”
  • May change password via web self-service before it expires: Yes, visit to change your password at any time
  • Grace period (# of times old password will be accepted) after password has expired: None
  • May reset password via web self-service (after it expires): Yes, visit to change your password at any time
  • May reset via call or fax (versus “physical proofing” by a designated USF employee) to Help Desk: No
  • History / Reusability – New password cannot match any of this many previously recorded ones: 10
  • Minimum length: 8
  • Maximum length: 132
  • Complexity / Strength: New passwords must score sufficiently high against a list of password strength library of over 75,000 common passwords. The score increases as you include numbers, mixed-case, special characters, or increase the length. Password strength meter must read at least “Good” before the new password will be accepted.
  • Display of a user-selected phrase and image to validate it’s our system requesting their password and not a phishing scam): Currently not available.
  • Maximum failed login attempts (which can be used by to combat “brute force” attacks)
    • From the same IP address (which CAS knows) before that IP-address is “locked": 100 per minute
    • Against the same account (which LDAP knows) before that account is “locked”: 100 per hour
  • Failed-login lockout duration: Permanent, unless manually reset