Information Technology, Documents, & Records

Password Policy

Carleton College is committed to protecting the information that is gathered as part of the work of the College, including digital information. An important component of our approach is requiring a sufficiently strong password. 

Carleton has two password policies and a set of password strength requirements that apply to both policies. The use of a “passphrase” containing a set of words is recommended. The use of a password manager is also recommended. 

For Email Account holders: 

  • Applies to faculty, staff, and students, and all users who have a Carleton email account
  • Requires compliance with the password strength requirements (see below)
  • Requires use of multi-factor authentication through the Duo application

For all other users: 

  • Applies to users such as Alumni, emeritus or affiliates, who do not have a Carleton email account. These users log in to other (non-email) systems using their Carleton NetID.
  • Requires compliance with the password strength requirements (see below)
  • Users must have a non-Carleton email address on record 

Password strength requirements: 

  • Passwords must contain at least 15 characters (and is encouraged to be longer)
  • Passwords cannot contain easily-guessable words 
  • Passwords cannot contain easily-guessed personal or Carleton information
  • Passwords cannot be available on lists of previously compromised passwords
  • Passwords do not require special characters
  • Passwords do not expire, but are checked against known password lists to ensure that they continue to offer good protection 

This policy is managed by Information Technology Services (ITS). Changes are approved by the Technology Planning & Priorities Committee (TP&PC).

Last Revised: March 14, 2024

Change history: 

  • On March 14, 2024: two-factor authentication is now required for all users with a Carleton email account. Users are expected to have a non-Carleton email address on record to facilitate password resets. An external email address is required for alumni accounts. 
  • On December 6, 2021: following the recommendations of a security audit, password policies were updated to require a minimum length of 15 characters.
  • On December 4, 2017: the Technology Priorities and Planning Committee (TP&PC) endorsed a campus-wide (faculty, staff, and students) commitment to two-factor authentication.

For: Faculty, Staff, Students

Maintained by: Information Technology Services