University of California, Riverside

C&C Password Management

Secure and Robust Passwords

A commitment to strong and robust passwords is an important aspect of UCR's overall effort to ensure campus systems, data, and electronic tools are secure and safe. In collaboration with various campus oversight groups and UCOP, C&C has been reviewing campus electronic password practices and procedures. As a result of these discussions, C&C is making available a suite of best practices relating to password creation and maintenance: the ultimate goal of this effort is to provide improved campus security, data integrity, and systems reliability.

Passwords: Background and Overview

Passwords are confidential and should not be shared with anyone, including supervisors, co-workers, family members, or friends. Moreover, campus electronic systems users should never disclose any passwords. If a password is stored it must be adequately locked or encrypted. 

A UCR systems user should never let another person sign-on under their user ID, and users should never sign on and leave the office without logging off or taking other comparable precautions (e.g. locking a computer).

If there is a reason to suspect that password confidentiality has been compromised, it's important that the password be changed immediately. UCR's Security Team ( may be contacted for input and guidance if a user suspects his or her password has been compromised.

Password security guidelines and responsibilities are contained in Campus Policy Number: 400-35.

Creating Good Passwords: Best Practices

  • All passwords should have a minimum of eight character length (NET ID password requires at least 8 characters). In general, longer passwords are more robust than shorter passwords (given other criteria noted below).
  • All passwords should contain a combination of letters, numbers, and (given other criteria noted below) special characters as well. NET ID passwords must have at least 2 alphabetic characters and 1 non-alphabetic character as stated at

    Current UCR Computing Environment Note Concerning Special Characters:

    R'Space (UCR NetID) and UCR's Central Authentication System (CAS) supports the use of virtually any (keyboard visible) special character.

    The IBM environment (e.g. SIS, Web Storehouse) currently supports the use of the following special characters: #, $ and @.

  • All passwords should contain mixed-case letters.

    Current UCR Computing Environment Note Concerning Mixed-Case Passwords:

    • R'Space (UCR NetID) and UCR's Central Authentication System (CAS) supports mixed-case passwords.
    • The IBM environment (e.g. SIS, Web Storehouse) currently does not support mixed-case passwords. Please note that IBM passwords must begin with an alpha character.
  • The first letter of a password should not be uppercase (rather, add uppercase letters within the password).
  • Create passwords that can be typed quickly, without having to look at the keyboard (to decrease the probability that someone might steal your password observing your keyboard).

    Examples of good passwords (please do not use these examples as passwords):


Creating Good Passwords: What to Avoid

  • Do not create passwords that use a letter or number pattern (e.g. aaabbb, qwerty, zyxwvuts, 123321, etc.).
  • Do not create a password that is derived from a username (a reversed, capitalized, doubled, etc. username).
  • Do not create a password that has a commonly known first, middle or last name in any form.
  • Do not create a password that utilizes user initials or nickname(s).
  • Do not create a password using a word contained in English or foreign dictionaries, spelling lists, or other word lists.
  • Do not create a password that uses information easily obtained (e.g. pet names, license plate numbers, telephone numbers, identification numbers, the brand of an automobile, a current address, etc.)
  • Never write down (or type and record electronically) a password (e.g. on sticky notes, desk blotters, calendars, etc.).
  • Do not create a password that is so complicated it must be written down.
  • Never use a UCR password as a credential for non-UCR systems, especially systems you access via the Internet on a non-encrypted web site.
  • Never use a UCR password on a computer you do not trust (e.g. Internet cafe); make sure the device is well protected and free of spyware and viruses.

Keeping a Good Password Safe

  • ALWAYS keep personal computers free of virus and spyware and update the operating system regularly. Passwords can be stolen remotely from computers containing malicious viruses or spyware (many of these malware products contain keystroke loggers). For more information, please visit C&C's security web site (
  • NEVER enter a UCR password on a non-encrypted web site (please look for "https" as opposed to "http" in the URL or a "lock symbol" in the browser to determine if a site is encrypted). Make sure to verify the site is an official UCR site. 
  • ALWAYS use UCR's VPN service (virtual private network) when connecting to campus systems from a non-UCR internet service provider (please visit to install UCR's VPN software).

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Password Management
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541