Password Rules

In accordance best practice, all passwords in use on any system at Jefferson Lab (JLab) must be in accordance with the following rules and guidelines.

Password Selection

  1. At least eight non-blank characters.  Your password can be longer than eight characters, but no shorter.
    • At JLab the only exception may be certain single-board computers.
  2. A combination of letters (upper and lower case), numbers, and at least one special character.  ALL of these conditions must be met within the first eight positions.
    • At JLAB the only exception may be certain single-board computers.
  3. A non-numeric in the first and last position.
  4. Must not contain any part of your username or common name.
  5. Does not include the user's own or, to the best of his/her knowledge, close friends - or relatives - names, employee serial number, Social Security number, birth date, phone number, or any information about him/her that the user believes could be readily learned or guessed.
  6. Does not, to the best of the user's knowledge, include common words that would be in an English dictionary, or from another language with which the user has familiarity.
  7. Does not, to the best of the user's knowledge, employ commonly used proper names, including the name of any fictional character or place.
  8. Does not contain any simple pattern of letters or numbers, such as "qwertyxx' or "xyz123xx".

These conditions listed above hold true provided such passwords are allowed by the operating system (OS) or application.

Password Protection

Individuals must not:

  1. Share passwords; the only exception is "in emergency circumstances or when there is an overriding operational necessity".
    • You must get prior agreement from the Computer Center Security officer before sharing passwords.
  2. Leave clear-text passwords in a location accessible to others or secured in a location whose protection is less than that required for protecting the information that can be accessed using the password;
  3. Enable applications to save passwords for subsequent re-use.
    • this includes e-mail - do not let it remember your password.

Password Changing

Passwords must be changed:

  1. At least every 6 months;
  2. Immediately after sharing;
  3. As soon as possible, but within 1 business day after a password has been compromised, or after one suspects that a password has been compromised;
  4. On direction from management.

If you have any questions or concerns regarding these rules, or problems changing your JLab CUE password, please contact our IT Division Help Desk.

Forgot Password

If you have forgotten your password, please contact our IT Division Help Desk at 757-269-7155.  You may also visit helpdesk in person with a photo ID in the CEBAF Center, 2nd Floor of the F-Wing (F201A).  A helpdesk staff member must verify you over the phone in order to issue you a temporary password.  If you cannot be verified, then you must contact your JLab Supervisor/Sponsor to contact helpdesk on your behalf.

Once you've been verified, helpdesk staff will issue you a temporary password.  You will then need to use the temporary password to reset your password using the Password Change Utility.

Two-Factor Authentication PIN Rules

Currently, there are several means for two-factor authentication on-site.  Below are a list of two-factor devices and the rules for PINs.

Device Name PIN Requirements Expiration Policy
MFA tokens (PIV-C) 6 to 8 numeric characters Upon certificate expiration
One-Time-Password (OTP, CyrptoCard, MobilePass, YubiKey) 6 to 8 numeric characters Must be changed every 180 days
PIV-I cards 6 to 8 numeric characters Upon certificate expiration