ARINC Mail Password Policy

Whenever you change your password, please make sure to communicate the new password to anyone else within your organization that needs access to the account. The AOC will not be able to lookup the new password if someone else within your organization calls for support, their only option would be to reset it.

Passwords must meet minimum complexity standards. See "Requirements:" and "Recommendations:" below. When changing passwords, the previous 5 passwords may not be used again, and may only be changed once every 15 minutes. After 5 failed login attempts, an account will be locked for 15 minutes. See "Lockouts:" below.

Requirements:

1. Minimum of 10 character length
2. Contains Upper AND Lower case letters
3. Contains one or more Number character(s).
4. Optional: May contain (but not start or end with) other printable, non-whitespace, 7-bit characters)
5. Disallowed:
     1. characters that require holding down control or alt while typing
     2. whitespace such as space-bar, tab, backspace, or carriage-return/line-feed [enter] keys
     3. quotes (single, double, or back), slashes (forward, back, or vertical), or colons (full or semi)
     4. grouping symbols (parenthesis(), braces{}, brackets[], angles<>)
6. Does NOT match any of the 5 previously used passwords
7. Does NOT match a commonly used password list, or published security breach list
8. Password changes must result in a difference of at least six of the characters

Recommendations:

1. 12 - 15 character length
2. Does NOT contain any 3 character sequence similarities to login/user/domain/company name, or email (for example, a TypeB address or airline/airport code)
3. Does NOT use the same password (or pattern) across multiple accounts
4. Do NOT use characters that could be [mis]interpreted by a browser to represent some other (or set of) characters

Lockouts:

1. Failed login attempts are viewed as potential brute force hacking of an account.
2. After five failures, the account will be locked, to protect the user/account.
3. The lockout period will expire automatically in 15 minutes, and access restored.
4. To protect against DOS (Denial Of Service), IP addresses/ranges may be used to restrict/authorize access.