Email Services - Frequently Asked Questions:
Search the FAQ:
How secure is my account and password?
Your account on ISC Networking and Telecommunications email servers is for your use only. You are solely responsible for what is done with it. If there is evidence of unauthorized or improper use of your account, it will be temporarily disabled. This protects your files and other users of the system. You will be asked to contact the postmaster, show your Penn ID, change your password, and/or take other appropriate action. If you suspect that someone else may be using your account, report it by mailing Email Help.
Our most important line of defense against unauthorized users is the security of each individual account on the system. Use of our email servers is a group responsibility. Keeping your account secure is necessary not only to protect your own files and resources, but to protect the entire system. That is why we insist upon strong passwords.
Sharing of passwords is prohibited! It is a violation of University policy to share your password with anyone else. Do not give your password to anyone. If we suspect that an account's password has been shared, the account may be locked.
Choosing secure passwords
Your password is a critical element of the overall security of ISC Networking and Telecommunications email servers as well as of other systems around campus and indeed around the Internet. Avoid using obvious passwords. "Good" passwords are at least seven characters long, aren't based on personal information or words of any language in any way, and have some nonalphabetic characters in them.
Basic password selection rules
Passwords must be at least 7, and no longer than 16, characters.
Passwords may not be all uppercase or all lowercase. (Examples: ivyleague, IVYLEAGUE, and jklasdf are not valid passwords.)
Passwords may not contain your PennNet ID; username; your first, middle, or last name; or any variation thereof.
Passwords may not be derived directly from words or phrases of any language. Embedding a number or case-shift within a word does not make a valid password. Systematic password guessing attacks are sophisticated and will routinely 'crack' such passwords. (Examples: time2go, big$deal, ivyLeague, 2morrow, money$, and Ivyleague are not valid passwords.
Passwords may not be composed of all numbers. Embedding decimal points, minus signs, or plus signs within a number does not make a valid password. (Example: 1-609-555-1212 is not a valid password.)
Users should expect that the password selection rules will get still more strict over the course of time.
Some hints for creating strong passwords is available.