SS-08-008 Strong Password Use

Issue Date: 3/21/2008

Effective Date: 3/21/2008

Review Date: 7/1/2018


To establish a standard for the creation and use of strong passwords or other strong authentication mechanisms to mitigate compromise of sensitive information.


Access to all state information systems and applications used to process, store, or transfer data with a security categorization of MODERATE or higher shall require the use of strong passwords or other strong authentication mechanisms. 

Strong passwords shall be constructed with the following characteristics:

  • Are at least eight characters in length
  • Must contain characters from at least three of the following four types of characters:
    • English upper case (A-Z)
    • English lower case (a-z)
    • Numbers (0-9)
    • Non-alpha special characters ($, !, %, ^, …)
  • Must not contain the user’s name or part of the user’s name
  • Must not contain easily accessible or guessable personal information about the user or user’s family. (such as birthdays, children’s names, addresses etc)



Strong authentication mechanisms use at least two of the three types of authentication mechanisms:

  • What a person knows (such as):
    • Passwords
    • PINS
  • What a person has(such as):
    • The private key associated with a public key certificate
    • An RSA token associated with an account
  • Who is a person (such as):
    • Retina scan
    • Finger or palm print

(Note that these are only examples of methods used for authentication and that many others exist. The emphasis is that two of the three different types of authentication mechanisms must be used for strong authentication of a user.)