Password Rules

If passwords are used for authentication in an IT system, the security of the access control of the IT system depends on the strength of the used password. The rules listed here must be followed, to avoid the usage of weak passwords.

On this website you will find information how to change or reset your password .

Password requirements for user accounts

The following rules apply to the main user accounts (Windows, Linux, Weblogin) at GSI/FAIR:

  • Passwords must be changed at least every 24 months.
  • Passwords are checked against a list of known weak passwords when changed.
  • Previously used passwords must not be reused.
  • Passwords must not be reused at different IT-systems.
  • Passwords require a length of at least 10 characters.
  • Passwords must consist of at least three of the following four character classes:
    1. lower case letters
    2. upper case letters
    3. digits
    4. symbols

Additional rules for the Windows-Campus-Account

  • Maximum password length is 127 characters. Due to technical limitations in individual target systems, the use of passwords with more than 42 characters is not reasonable or not possible.
  • A password must be used at least 1 day, before it can be changed.
  • A user has a maximum of 50 failed logon attempts before the account will be locked out.
  • After a period of 180 minutes, the locked-out account automatically becomes unlocked. Alternatively, an administrator can reset the password.

Password management program

Given the large number of accounts and passwords to be used, it is advisable to use a password management program. We recommend KeePass (Windows, installed from the Software Center) or KeePassXC (Linux, installed by default).

Save all accounts with the respective passwords into the database of the program. The database itself is backed up by a master key. This master key should be sufficiently complex and is the only password you need to remember.

Please note:

  • The database is only encrypted if the program is not open (unlocked).

Other important rules for safe password use

The following text is taken from excerpts of information from the Federal Office for Security in Information Technology:

  • No "dictionary"-phrases, names, license plate number, date of birth etc.
  • The password must be kept secret and can only be used by the user personally.
  • The password should be put in writing for the deposit, and it is then safely stored in a sealed envelope. It has to be keep as save as a bank card at least.
  • A proven method of password creation is to use the first letter of a sentence.
    For example "A monkey was hiding in the pinata to steal sweets!" becomes "Amwh1tptss".
  • Passwords must not be stored on the programmable function keys.
  • A password should be changed, if the password has become known to unauthorized persons.
  • The entry of the password should take place unobserved.

Further information and videos

Please also note the Information on passwords of the department for IT security.