Policy, Procedures, and Guidance
Based upon DOE
Notice N205.3 and guidance in
DOE G 205.3-1, all BNL computer platforms capable of
supporting password protection systems must have passwords that are in
accord with the following.
- Password contains at least eight non-blank
characters, provided such passwords are allowed by the operating system or
- Password contains a combination of letters
(a mixture of upper and lowercase), numbers, and at
special character within the first seven positions, provided such passwords
are allowed by the operating system or application.
- Password contains a nonnumeric in the first
and last position.
- Password does not contain the user ID.
- Password does not include the user’s own or,
to the best of his/her knowledge, close friends or relatives
serial number, Social Security number, birth date,
phone number, or any
information about him/her that the user believes could be readily learned or
- Password does not, to the best of the user’s
knowledge, include common words that would be in an English dictionary, or
from another language with which the user has familiarity.
- Password does not, to the best of the user’s
knowledge, employ commonly used proper names, including the name of any
fictional character or place.
- Password does not contain any simple pattern
of letters or numbers, such as “qwertyxx” or “xyz123xx.”
- Password employed by the user on his/her
unclassified systems is different than the passwords employed on his/her
- Please note that passwords can only be changed once in a
24 hour period.
Password authentication has become part of our daily lives.
Creating and using strong and secure passwords helps maintain the
security of BNL’s network. Choosing a suitable password entails
selecting between eight and sixteen characters that are a mix of
upper and lowercase letters, numbers, and symbols. Basically, this
is not a difficult task, though it will involve some careful
thought. The more innovative you are, the more secure BNL’s network
will be. The passwords that you create should be easy for you to
remember but hard for others to guess. In choosing one, keep in mind
that you should never write down your password; instead, memorize
Types of Passwords
Pseudo-random passwords - Pseudo-random passwords are easy-to-remember ones based on a
pass-phrase that is important to you. This phrase can be a set of
words taken from a book, a song, a quotation, or anything else that
you always can recall. The first example below meets all the
requirements for length, and combination of letters (upper- and
lower-case), symbols, and numbers.
- Pass-phrase: "Four score and seven years ago, our fathers..."
- Password: Fs&7yAoF
- Pass-phrase: "My Son is 5 years old"
- Password: Msi5!Yo1d
- Pass-phrase: I have lived in California for 5 years
- Password: IhliCf5#y
The result - Derived by choosing the first letter from each word,
using a mixed case of letters, and adding a non-alphabetic character
and a number.
The next example is not a good one:
- Passwords: "funny bone"
- Password: "phnyb0ne"
The result - Derived by combining the two words funny and bone,
changing "funny" to "phny" and substituting the "o" with a "0"
This password could easily be guessed as it spells out “funny
bone” phonetically. Also, the words funny and bone are related and
you will find the combination defined in dictionaries. The password
does not contain upper-case letters, and symbols.
Maintain the security of your password:
- Do not write down your password; remember it.
- Practice entering in your password, so you can type it in
quickly, without looking at the keyboard.
Password Do's and Don'ts
- Do select a password with
mixed upper- and lower-case alphabetics.
- Do include non-alphabetic
characters in the password (punctuation marks, symbols, and
numbers). Embed the numbers somewhere in the middle of the
password; do not put them at the end.
- Do memorize your password.
Choose one that is easy for you to remember, so that you do not
have to write it down.
- Do choose a password that
you can type quickly, preferably without looking at the keyboard.
Doing this makes it harder for someone looking over your shoulder
to determine your password.
- Don't use passwords with
less than eight characters.
- Don't use your name in any
form (first, middle, or last, or the name of your family members,
friends, pets, or anyone in your life).
- Don't choose your login
name, or that of other people you know.
- Don't straightforwardly
employ words that are found in any US dictionary, no matter how
obscure they may be, or from a foreign language one.
- Don't simply select names
of places or locations.
- Don't employ information
about yourself (such as your phone/extension number, room number).
- Don't use your birth date
or that of anyone you know.
- Don't choose simple
patterns of letters on the keyboard, like
"qwerty" or "asdfgh"
- Don't use all the same
- Don't use passwords with
anything listed above backwards.
- Don't write down your
passwords; the only exceptions being an overriding
operational necessity or in emergency circumstances.
clear-text passwords in a location accessible to others or
secured in a location whose protection is less than that
required for protecting the information that can be accessed
using the password;
applications to retain unencrypted passwords for subsequent
re-use unless there is an overriding operational necessity.
be changed at 6 month intervals.
Passwords must be
soon as possible, but within 1 business day after a password
has been compromised, or after one suspects that a password
has been compromised;
direction from system administrators.
Password Change Process for Windows NT/2000/XP Operating Systems
must be logged on to the network in order to change your network
and screen saver passwords. Press
keys at the same time. A dialogue box will open.
Enter your old password, followed by your new password and
re-enter your new password.
Then press OK.
If you entered your current
password and a new password correctly, you will see a box that
shows that your password was changed successfully.
Note: Windows NT systems automatically synchronize your Screen
Saver Password with your Networking Password.
Process for Unix Operating Systems
your UNIX host, at the shell prompt, type “passwd”
and you will be prompted to change your password.
logged into the BNL Domain
In order to access your exchange account you must use your
new BNL password. To create your new password you must follow
- Users in the BNL domain and have an
Exchange Account should go to
The screen that will appear will say...
Internet Service Manager Your
password has expired.
You can change it now
If your BNL Password has already expired, then you will have
to call the ITD Helpdesk (631.344.5522) to reset your
expiration setting to allow you to access this web page.
- In the Account box - enter bnl\username
- In the Old password box enter - original password
- In the New password box enter - a new password
- In the Confirm new password box enter - the new password again.
- Click the ok button
- The screen that will appear will say, password successfully
Password Policy for BlackBerry and Windows-based Hand-held Wireless Devices
following is a set of rules (also known as a "server policy") which is
remotely pushed to hand-held devices when they sync up with the BNL servers
which supply them with data. Direct questions to Mike Stangel
, Ext. 7256.
- Minimum password length is 4 characters;
- The device password feature cannot be disabled;
- Maximum time before the device locks due to inactivity is 15 minutes;
- The password must be changed by the user every 180 days;
- After 5 incorrect password attempts, data on the device will be erased. To
restore data, the device will need to be brought to ITD;
- The last 15
passwords are remembered to prevent the use of old passwords.*
* This is automatically
enforced via server policies on BlackBerry devices only.
Last Modified: December 7, 2012
Please forward all questions about this site to: