Minnesota Supercomputer Institute

MSI Password Policy

Central Authentication

Users will have an MSI account and an associated password that will grant them access to various systems, labs, and some software that MSI provides. This single ID and password, which is stored in a central LDAP, can then be used on all systems that the user has been granted access to. The user's password will expire six months (180 days) after the last password change or from initially setting the password for new accounts. This six months is tracked individually for each user.

Password Expiration

Two weeks prior to their password expiring, the user will be notified by email using their preferred email address, which we store in our LDAP. This email will: state that their password will expire, but has not yet done so; state that they have two weeks (14 days) in which to change their password; provide a command-line (and in the near future, a Web-based) way to change their password. Users will receive this email again one week later and then a final message will be sent one day before their password expires. If the user changes their password they, of course, will not receive the subsequent emails.

Once a password has actually expired, certain systems will not allow them to connect. These include: IMAP/POP connections for email, the NetFinity and Regatta, as well as any IRIX, Solaris, and RHEL systems. If users have an account on or connect to any SLES or CentOS systems, such as calhoun, Blade, Altix, or lab systems, after their password has expired, they will see a notice every time they log in notifying them that their password has expired and that they have two weeks to change it.

After two weeks (14 days) of not changing a password, a full month after users received the initial email, their password will be locked and the user will be required to come to MSI and request to have a new password issued to them. The only exception to this will be users who log in to our systems interactively and use Secure Shell encryption keys (ssh keys). These users will continue to be able to log in with their ssh keys but will not be able to log in by providing a password.

Acceptable Passwords

Passwords must meet these requirements:

  1. At least eight (8) characters
  2. Not based on your username or full name
  3. Not based on a dictionary word
  4. Contain at least one letter and one non-letter
  5. Not based on a trivial string such as aaaaa or qwerty
  6. Not the same as any of your last 3 passwords

Ways To Get A New Password

  1. Change the password oneself at a UNIX prompt: 
    % passwd
Old Password:
New Password:
Confirm New Password:
%
  2. Follow the prompts upon log in with an expired passwd: 
    Your password has expired. Please choose a new one.
Old Password:
New Password:
Confirm New Password:
  3. Call MSI from an authorized phone number, either:
    • The phone number used to distribute your password upon account creation
    • A phone number in your central umn.edu OneStop entry
  4. Email MSI from your central <username@umn.edu> email address and provide a phone number we can use to reach you
  5. Have your PI email MSI from their MSI email or their central <username@umn.edu> email address and give us your name and phone number
  6. Come to 599 Walter with your U Card or other picture ID

Ways You Cannot Get A New Password

  1. Via email (no matter what address you're using)
  2. Emailing us a phone number from an email address that's not your central <username@umn.edu> email
  3. Calling from a phone number we cannot verify is yours