PASSWORDS POLICY

The use of most of the electronic services and resources available at IPB requires the User to be assigned a username and password for authentication and access authorisation, hereinafter referred to as ‘account’.

The User will be responsible for the security of the account and its use and should not allow its use by third parties or under any circumstances inform them of their password.

The passwords policy applies to all IPB’s Users and is governed by the following general rules:

1. All accounts assigned by IPB are personal and non-transferable, with the guarantee of identity ensured by the possession of a secret key (password, keyword, or access code) held by each User.
2. The User cannot disclose his password to third parties.
3. The User must not use the password associated with the IPB account to register with other systems (e.g. homebanking, FCT, Skype, Gmail, etc.).
4. Whenever authentication and access authorisation are required, a username and password must be used that comply with the requirements described below, defined according to the institutional link and profile of use that the User maintains with the institution.
5. The User should always avoid setting simple or obvious passwords (e.g. the same as the username, student number or identification documents, name initials...).
6. The password must be complex and have at least the following requirements:
   • For most Users: 9 characters;
   • For Users with administration responsibilities: 13 characters.
   • Its composition requires the inclusion of at least 3 of the 4 following character sets:
     • lowercase (a...z)
     • uppercase (A...Z)
     • numbers (1...9)
     • special characters: |!#$%&()=.:,;*<>@
     • It cannot contain the following characters (which are considered invalid by some applications): áàãâÁÀÃÂéèêÉÈÊíìîÍÌÎóòõôÓÒÕÔúùûÚÙÛçÇ+-ao"'
7. Passwords are stored using non-reversible encryption.
8. Passwords are recorded centrally in encrypted form and are the exclusive knowledge of each User.
9. Passwords are always encrypted or protected by secure protocols in the transition between the central authentication system and applications.
10. If there are systems that, exceptionally, cannot implement the defined password policies, Users should be informed about the local policies implemented.
11. The technical team of the IPB's Computer Services never asks the User to indicate the password.
12. A self-service mechanism will be made available for the definition of new passwords, which requires unequivocal proof of the User's identity.
13. The User can only set/change the password at https://myconfig.ccom.ipb.pt.
14. The indication of any means other than that defined in the previous point for changing the password must be considered fraudulent and ignored immediately by the User.