Penn State Access Account Password Policy

Guidelines for creating and managing your Penn State Access Account password


This policy establishes conditions for use of, and requirements for appropriate security for the Penn State Access Account. These requirements are necessary to help ensure personal security and protect business, research and academic interactions throughout the University


The Penn State Access Account is a User ID and password combination that serves as the primary digital identity at Penn State. It works in tandem with the Penn State Online Directory, which uses Lightweight Directory Access Protocol (LDAP), a standardized method for providing directory information, to provide the foundation for digital identity authentication (proving who one is) and authorization (what one has access to once authentication occurs).

The Penn State Access Account provides access to a wide range of Penn State Internet services such as the Web, e-mail, eLion, library resources, eCommerce Web sites, employee records, research services, and student computing labs. Individuals may need additional University accounts for specialized services.

The Penn State Access Account is managed by the ITS Accounts Services Office, a division of Information Technology Services (ITS).


This policy applies to every person using a Penn State Access Account at any time or location. This includes all students, faculty, staff, alumni, retirees, continuing and distance education students and other University affiliates.

System Requirements:

  • ITS systems require passwords for newly activated Penn State Access Accounts to be changed at first use. This ensures that only the person who has been assigned the account knows the password.
  • ITS systems force expiration of Penn State Access Account passwords once a year. ITS recommends changing passwords more frequently for higher security. See Password Expiration below.
  • ITS systems retain a history of three passwords. This means that the last three passwords cannot be reused. When the password is changed, the account owner must create a password that is different from the last three passwords. ITS strongly encourages account owners to avoid reusing old passwords. See password best practices for tips on how to create a strong password that is easy to remember but hard to crack.

Individual Responsibilities:

Penn State Access Account owners are expected to:

  • Comply with University Policy AD20: Computer and Network Security.
  • Create a strong password; see Password Creation Guidelines below.
  • Change the password at least once a year, or more frequently as needed to maintain password security. Individuals are responsible for changing their password before it expires, to avoid disruption of access to Penn State services. See Password Expiration below for additional details.
  • Safeguard the password. For example, individuals should not write down or store the password on paper or on a computer system where others might acquire it. See password best practices for additional guidelines.
  • Never share the password, even with a best friend, roommate, or relative.
  • Reserve the Penn State Access Account User ID and password for Penn State systems and services only. Individuals should create a different username and password for external services such as stores, banks, music services, Web sites, personally owned computers, or other systems.
  • Set security questions for their Penn State Access Account in order to reset an expired or forgotten password on their own terms.  Users without security questions enabled will need to visit a signature station or visit the ITS Accounts Office at the University Park campus to re-establish an expired or forgotten password.

All use of the Penn State Access Account is assumed to be performed by the person assigned to that account. Account owners are held responsible for all activities associated with their accounts.

Failure to conform to these requirements may lead to suspension of account privileges or other action as provided by University Policy or law.

Password Creation Guidelines:

The following password creation guidelines are based upon experience and common sense. The software used to change passwords will screen for most of these guidelines as an aid in creating secure passwords. This does not relieve a person of responsibility for creating and securing a good password.

  1. It must be at least eight characters in length. (Longer is generally better.)
  2. It must contain at least one alphabetic and one numeric character.
  3. It must be significantly different from previous passwords.
  4. It cannot be the same as the user ID.
  5. It cannot start or end with the initials of the person issued the user ID.
  6. It cannot include the first, middle, or last name of the person issued the user ID.
  7. Certain special characters may be used as indicated at password best practices. However, note that some applications might not accept special characters; see password best practices for additional information.
  8. It should not be information easily obtainable about you. This includes license plate, social security, telephone numbers, or street address.

See password best practices for tips on how to create a strong password and avoid a weak password.

Password Expiration:

Penn State requires that all Penn State Access Account owners change their passwords on an annual cycle. ITS strongly encourages all individuals to change their password before it expires, in order to avoid disruption of access to University services. Passwords can be changed at any time at

Prior to expiration of the password, ITS prompts individuals to change their passwords through Penn State WebAccess and by e-mail reminders. Eight weeks before the password expires, ITS will send an e-mail notification of the expiration date. This e-mail notification will be sent weekly until the password is changed or expires. In addition, when an individual's password is within four weeks of its expiration date, the WebAccess screen will present a brief message stating that the password will expire, and authentication through WebAccess will be denied. A link will be provided to a Web form where the individual can change the password. After the password has been successfully changed, access to authentication through WebAccess will be restored. If the password has not been changed within four weeks of its expiration date, weekly e-mail reminders will continue to be sent to notify the account owner of his or her impending password expiration (with instructions on how to change the password).  Individuals who do not respond to these warnings and allow their passwords to expire will need to go to a signature station to reinstate their Access Account passwords.

Security questions allow users to regain access to their account if the password has expired or been forgotten.  Users that have set security questions can reestablish the most recent password for their account, without the assistance of a signature station.  Questions must be in place at least 28-days prior to a password expiring in order for a user to self-reset their password.

In addition to the University's annual password change requirement, ITS encourages individuals to change passwords more frequently throughout the year. The password should be changed immediately if an account owner believes that it has been compromised (for example, if there is a possibility that another person may have viewed or acquired the password). Passwords will expire exactly 365 days from the date and time of change.

Individuals who opt out of  setting security questions and allow their Penn State Access Account password to expire must reinstate it by visiting an ITS Signature Station. Individuals who do not have access to a Signature Station must contact the ITS Accounts Services Office for assistance. Distance education students should contact the World Campus Help Desk for assistance.


Individuals who forget their password or need assistance should contact the ITS Help Desk, the ITS Lab Consultants, or the ITS Accounts Services Office. Distance education students should contact the World Campus Help Desk for assistance.


Exceptions to this policy must be applied for in writing and will be authorized only by the ITS Accounts Services Office.


This policy is available on the Web at Alternate versions, such as print or audio, are available on request to the ITS Accounts Services Office.


ITS may change this policy at any time subject to the review of the Vice Provost of Information Technology.

Related Information:

Original Policy Date: July 1, 1991
Revised: September 11, 2007 (annual expiration information)
Revised: February 19, 2008 (use of special characters)