Password Policy

Photo of Shield Icon of Cyber Security Digital Data, Technology Global Network Digital Data Protection, Future Abstract Background Concept. 3D Rendering GettyImages-12966

Password Policy

Password Policy

Policy Owner:Information Technology DepartmentPolicy Version:v1.1
Created By:Information Security OfficeDate Created:01/11/2016
Reviewed By:IT Security Governance CommitteeApproved By:IT Security Governance Committee
Last Revision Date:07/15/2024Effective Date:1/11/2016
Introduction
Passwords are in place to protect your user accounts. Weak passwords can allow bad actors access to unauthorized University critical resources by cracking or guessing a weak password. Therefore, the creation of strong passwords is necessary to better secure the University network and critical resources.
Purpose
The purpose of this policy is to establish a standard for the creation, management, and protection of passwords used to access the University systems, networks, and data. Its goal is to ensure that individuals with an Â鶹´«Ã½ user account adheres to best practices in password security to protect against unauthorized access of the University critical resources.
Scope
This policy applies to all employees, faculty, students, contractors, vendors, and any other individuals who have access to Â鶹´«Ã½ systems and information resources, including but not limited to network logins, email accounts, applications, databases, and cloud services.
Roles and Responsibilities

Â鶹´«Ã½ User Account Owner: Responsible for complying with password policy and protecting their passwords.

IT Security Team: Responsible for enforcing this policy, providing guidance, and conducting regular audits.

Policy

Password Creation

  1. All non-admin user passwords must be at least [8] characters in length. Longer passwords and passphrases are strongly encouraged.
  2. All admin and system-level (i.e. local system, DB password, etc.) passwords must be at least [12] characters in length and must contain three of the four items: upper case, lower case, numbers, and special characters.
  3. Passwords must not contain easily guessable information, such as "password," "123456," your name, organization’s name, relative’s names, birth date, etc.
  4. Passwords must not be dictionary words or acronyms.
  5. Passwords must be completely unique, and not used for any other system, application, or personal accounts.
  6. Default passwords for system, network devices, and apps must be changed immediately after installation is complete in accordance with this password policy.

Password Management

  1. Passwords – including admin and system-level passwords – must be changed every [180] days. User account owners will be notified when their password is due for renewal.
  2. Passwords cannot be reused for a period of no less than [12] months.
  3. User accounts with non-expiring passwords must be documented listing the requirements for those accounts. These accounts need to adhere to the same standards as admin and system-level accounts.
  4. Admin account passwords must not be shared among multiple administrators. Each administrator must have their own unique account.
  5. After 5 unsuccessful login attempts, the account will be locked. To unlock the account, the account owner must contact the helpdesk or wait 30 minutes before reuse.
  6. Account owners must enable 2FA for an additional layer of security. This is mandatory for all user accounts.
  7. Exceptions for password policy non-compliance must not be granted for the purpose of ease of use.

Password Protection

  1. User account owners must not share their passwords with anyone, including colleagues, supervisors, IT personnel, etc. Each user is responsible for all activities conducted under their account.
  2. Passwords must not be written down or stored in plain text. Passwords must be stored using a password manager with encryption.
  3. Do not use the browsers or application’s auto-save feature for passwords on any devices.
  4. Passwords must not be inserted in e-mail messages or other forms of electronic communication, or revealed over the phone to anyone.
  5. Do not hint at your password format when applying password hints.
  6. Hard-coded passwords for service accounts running tasks must be encrypted – not stored in plain text – and must follow the same password change requirements as admin accounts.
  7. If a password is suspected to be compromised, users must change it immediately and report the suspicious event to the IT security team.
Exceptions
Any exceptions for non-compliance with the Password Policy must be requested and reviewed by executive management for approval.
Enforcement
Non-compliance with the Password Policy without proper approval for exceptions can result in disciplinary action up to and including termination of employment.   Students’ sanctions shall be commensurate with the severity and/or frequency of the offense and may include suspension or expulsion.