Document Actions

Policy for Securely Handling Passwords

Policy for Securely Handling Passwords

JLU Logo

Notes:

  • You can find the current policy in the MUG at the following link: Policy for Securely Handling Passwords, 
    dated February 24, 2026     (German only).
  • To make it as easy as possible for you to understand and implement the new policy, we have clearly summarized the key points. The most important and practical aspects have been illustrated so that you can quickly and easily get an overview of the core requirements.

 

Illustration: policy for securely handling passwords

 

§1 Subject Matter and Scope

Passwords remain the dominant means of authentication in the digital realm. On the one hand, they are indispensable for accessing many IT devices and services as they are often the only protection against unauthorized access. On the other hand, this very fact makes passwords an attractive target for cybercriminals. It is therefore all the more important that all members, affiliates, and guests of Justus Liebig University (JLU) Giessen master how to use passwords securely in order to ensure the security of our systems and data. This policy establishes a framework for the secure use of passwords. It is intended for all members, affiliates, and guests of JLU Giessen and applies to passwords of all privilege levels (e.g., end users or administrators) on work-related devices, server systems, network components, and other IT systems of JLU Giessen, as well as applications and IT services provided by JLU Giessen. Since passwords are ubiquitous, this policy is also applicable and recommended for personal devices and external services.

 

§2 Password Strength

Passwords are considered secure (or ‘strong’) if they meet current scientific and technical standards. These standards ensure that strong passwords cannot be easily guessed—even with significant computational resources—and consequently cannot be misused. Passwords at JLU Giessen must meet the following requirements to be considered strong, and all members and affiliates of JLU Giessen are required to comply with these requirements:

  • The password must be at least 12 characters long.
  • The password must contain at least 4 different character types (uppercase letters, lowercase letters, numbers, and special characters).
  • The password does not contain any easily guessable elements:
    • Personal information (e.g., names, dates of birth) about yourself, family members, pets, etc.
    • Email address
    • Account name
    • Year (4 numbers in a row)
  • Separate words (e.g., summer, autumn, ...) 
  • The password does not contain any umlauts or spaces to avoid compatibility issues.

These requirements are regularly reviewed against the current state of the art as set forth in relevant standards such as those of the German Federal Office for Information Security (BSI) and are updated as necessary.

 

§3 Handling Passwords

In addition to choosing strong passwords, the following guidelines for secure password management are essential and are therefore mandatory for all members and affiliates of JLU Giessen:

  • Passwords must be kept secret and should not be shared.
  • Passwords must be entered without being observed.
  • Any passwords that have been compromised must be changed immediately.
  • Default or initial passwords must be changed immediately after the first login.
  • Passwords must be kept secure.
  • Each service (e.g., email, SAP) and each device (e.g., PC, laptop) must have a unique password.
  • If the membership of a functional account changes (e.g., a person leaves the group or the university), the password must be changed.

Since each account requires its own strong password, it becomes difficult to remember all of them as the number of passwords increases. Therefore, it is advisable to have one strong password that you can remember, while the other strong passwords are managed in a password manager. These are available as standalone applications or as online services. When selecting a password manager, be sure to follow the recommendations of reputable sources such as the HRZ or BSI. 

 

§4 Operation of Authentication Services

Operators of IT services at JLU Giessen that use password-based authentication are required to technically verify that the passwords that users create comply with the complexity requirements for strong passwords specified in this policy and to block them if they do not comply.

 

§5 Exceptions

If an exception to the aforementioned requirements is necessary—for example, because older IT systems are technically unable to meet these requirements—this must be coordinated with the information security officer (ISO).

 

§6 Future Authentication Methods

Even a strong password, when used securely, can pose a risk if it falls into the wrong hands due to data breaches or social engineering attacks such as phishing. To further enhance the security of authentication at JLU Giessen, the use of alternative authentication methods will be increasingly introduced in the future, in addition to the secure use of strong passwords. This includes, in particular, two-factor authentication (2FA), which combines a strong password with an additional authentication step based, for example, on biometric methods such as fingerprint and facial recognition or security keys and one-time codes. Key applications at JLU Giessen will support these login methods in the future to provide greater protection against unauthorized access to university resources.

 

§7 Entry into Force

This policy on secure passwords shall enter into force on the day following its publication, after the executive board of JLU Giessen adopts it. Maintaining information security is an ongoing responsibility and an explicit security objective. This policy must therefore be reviewed regularly—at least every two years—to ensure it remains up to date with current information security requirements.

You can find the current guideline on the MUG website at the following link: Policy for Securely Handling Passwords, 
dated February 24, 2026 (German only).