Print This Issue

PennKey Changes: New Minimum Length for Passwords

April 5, 2011, Volume 57, No. 28

Strengthening and protecting PennKey authentication is an important component of Penn’s information security strategy. Most recently, the minimum length for new PennKey passwords was increased from six characters to the industry-standard eight characters, to make it more difficult for hackers using sophisticated password-cracking tools to guess passwords. All PennKey passwords created on or after March 29 are required to conform to the eight-character minimum. See the link for changing a known PennKey password, below.

Since longer passwords tend to be easier to forget, ISC is also encouraging use of the Challenge-Response option for resetting forgotten passwords. Challenge-Response offers convenience for many user populations, particularly those who use their PennKey infrequently, are rarely on campus, or travel frequently (e.g., alumni and students). However, anyone who accesses sensitive University data on a regular basis (e.g., as part of their job) should opt for the stronger security of the Setup Code process and not use Challenge-Response.

Challenge-Response allows users who forget their PennKey password to reset it online anywhere, anytime, without first obtaining a PennKey Setup Code. They simply need to register their answers to a number of security questions in advance, and then provide those answers online in lieu of a Setup Code when they need to reset their password. Because a Setup Code can only be obtained in person or via postal mail sent to an “address of record” in University systems, Challenge-Response can be a critical timesaver. For convenience, the Challenge-Response registration option now appears at the beginning of the PennKey registration process rather than at the end, where it was easily overlooked.

For more information about Challenge-Response and passwords, please visit the PennKey web site at www.upenn.edu/computing/pennkey

For instructions on changing a known PennKey password or resetting a forgotten password, select “Set/Reset Your Password” in the left-hand navigation bar. The direct link for changing a known PennKey password is

 For a complete description of password rules and tips for setting a strong password, see www.upenn.edu/computing/security/passrules.php

 Your Local Support Provider (LSP) will be happy to answer any questions you have about PennKeys and passwords.

—Robin Beck, Vice President, Information Systems & Computing


Almanac - April 5, 2011, Volume 57, No. 28