In order to comply with state and University System of Maryland security regulations, rules went into effect in August 2006 regarding the management of passwords in the University Directory and the university mainframe system.
It is important that you protect your Directory password and not share it with others. When used with your Directory ID, your Directory password provides students access to registration, financial information, grades, and course materials. For faculty and staff, the password is a gateway to your HR records and possibly sensitive information protected by your office. For all, the password prevents your email and files from being read by unauthorized persons and is used online to prove that you are you.
If you have set up your computer's Web browser or email program to remember your password, you will have to update that information when you change your password. We recommend that you do not use this feature as your password may become compromised if your computer is stolen or hacked.
All new passwords remain valid for up to 180 days. If you allow your password to expire, you will be unable to access the many services that utilize the Directory password. Email will be sent to your DirectoryID@umd.edu address several times in the weeks leading up to your expiration date reminding you to select a new password. Change your password by visiting password.umd.edu and clicking the "Change your Directory Password" button on the left side of the page (or by visiting https://identity.umd.edu/password).
If your password does expire before you have an opportunity to change it, you will be able to use your old password for the sole purpose of selecting a new password.
Password Quality Checks
A password cannot provide protection if it can be guessed by unauthorized visitors. Potential attackers can also attempt to utilize every possible combination of characters in order to break a password. Password composition rules are chosen to ensure that the number of possible character combinations is large enough that such an attack cannot be accomplished in a reasonable period of time.
For Directory passwords, the following quality rules are applied:
- A password must be at least 8 and no more than 32 characters in length.
- A password must contain at least one uppercase letter.
- A password must contain at least one lowercase letter.
- A password must contain at least one character from the set of digits or punctuation characters (such as # @ $ & among others).
- A password may not begin or end with the space character.
- A password may not contain more than two consecutive identical characters.
- A password may not be (or be a variation of ) a dictionary word in English or many other languages. This includes making simple substitutions of digits or punctuation that resemble alphabetic characters (such as replacing the letter S in a common word with the $ symbol).
- You may not reuse a password you have already used.
Selecting Good Passwords
The password quality checks establish a minimally acceptable level of password quality. Increasing the length of your password beyond eight characters markedly increases the security of that password. No matter how complex your chosen password might be, it will not be a secure password if you write that password on a post-it note and keep that note where it might be discovered (the underside of the keyboard is not a secure location).
Take advantage of the fact that the space character is a valid choice (although not for the first or last character of the password) and create phrases or sentences. A longer sentence with punctuation and one or two deliberate typographic errors will be far easier to remember than eight random characters and (for many people) will be easier for you to type whenever you need to authenticate.
For additional tips on selecting good passwords, please see the How to Create a Good Password article from the Help Desk.
Forgetting Your Password
Whenever you change your Directory password, you will have an opportunity to establish or update a set of questions and answers that will be used to validate your identity in the event that you cannot remember your Directory password. Choose questions and answers that you will be able to recall later and note that you will be required to re-enter the answers exactly as you originally typed them. In the event that you do lose your password, click the Change your Directory Password button near the top left of this page, then select forgot password.
If you forget your password and either haven’t set your security questions or have also forgotten your answers, you can also have your password reset by visiting the Help Desk and presenting your university identification card.
You will receive email warnings as the expiration date for your password approaches. In order to assure you that messages from the Division of IT regarding your Directory passwords are legitimate, the Division of IT follows several guidelines regarding these messages:
- Messages will include your name and not a generic term, such as "user" or "customer."
- Messages will not include active Web links (you should never click a link in an unsolicited email message). Legitimate messages will always refer you to the University Directory Password Website at password.umd.edu.
- Messages will include a PGP signature which can be validated with appropriate software. A copy of the public key is available on this website.
If you have any questions about this information, please contact the Help Desk at 301.405.1500.