Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

On November 19, 2025, the minimum required length for new or changed PennKey passwords will increase from 8 characters to 16 characters. See below for details. 

Who Is Affected?

• New PennKey users who set up their passwords starting November 19, 2025
• Existing PennKey users who choose to update their passwords from November 19, 2025 onward

What Will Change?

• Minimum required length for new or voluntarily changed PennKey passwords will increase from 8 to 16 characters as of November 19, 2025
• No forced updates for existing passwords–existing passwords that do not meet the new requirement will still be valid
• No change to complexity–passwords will follow the same complexity requirements in place today (16-19 characters require upper- and lower-case letters, 20+ character passwords have no special requirements)
• New standard applies to all passwords, not just PennKey, e.g., privileged accounts, local accounts, database

Benefits

• Improves security by protecting against modern password attacks
• Helps us meet funding agencies’ data use agreements
• Aligns with current industry standards
• Simplifies PennKey complexity requirements, enhancing usability
• No anticipated need for a length increase soon

Help & Resources

• PennKey Password Length Change project details
• IT Security Standards page
• Current password guidelines on the PennKey website
• Users should contact their Support Providers for help
• Support providers may contact ISC Client Care for issues

For additional tips, see the One Step Ahead link on the Information Security website: https://isc.upenn.edu/security/news-alerts%23One-Step-Ahead.