National Aeronautics and Space Administration

Glenn Research Center

Password Rules

Whether at work or at home, your password is one of the first line of defenses against hackers. You should keep your password secret and never share it with anyone (see Password Tips). When devising a new password, follow these password best practices:

Passwords must:

  • Be a minimum of 12 characters
  • Contain a mixture of three of the following four character types:
  • English upper case letters (A through Z)
  • English lower case letters (a through z)
  • Numeric characters (0 through 9)
  • Special characters (for example: &, %, @, !, #)

Passwords will:

  • Expire every 60 days
  • Be used for a minimum of one (1) day
  • Be stored in password history (24 passwords) so that you cannot reuse a password

Passwords must NOT contain:

  • Any form of your name
  • Your user ID
  • A repetition of numbers or letters, or keyboard patterns
  • Birth date (yours, or family member)
  • Family member name
  • Pet name
  • Any other personal information (social security number, address, etc.)
  • Be a word found in any dictionary (English or foreign)
  • Relate to any NASA project or organization
  • Any vendor product
  • The name of a vehicle or sports team

Other password considerations:

  • Passwords should never be shared with anyone
  • Passwords should not be written down and left in an unsecure location (see Password Tips)
  • You should ALWAYS use a different password for each system (including personal non-work accounts)

Accounts will:

  • Lockout after 5 bad login attempts
  • Lockout for a duration of 30 minutes

At Home

Ensure that passwords and challenge responses are properly protected since they provide access to personal information.

  • Passwords should be strong, unique for each account, and difficult to guess. Consider using a passphrase that you can easily remember, but which is long enough to make password cracking more difficult.
  • Disable the feature that allows Web sites or programs to remember passwords.
  • Many online sites make use of password recovery or challenge questions. Your answers to these questions should be something that no one else would know or find from Internet searches, public records or social media. To prevent an attacker from leveraging personal information about yourself to answer challenge questions, consider providing a false answer to a fact-based question, assuming the response is unique and memorable.
  • Use two-factor authentication when available for accessing webmail, social networking, and other accounts. Examples of two-factor authentication include a one-time password verification code sent to your phone, or a login based on both a password and identification of a trusted device.