1. Purpose
The purpose of this policy is to establish the requirements for the proper construction, usage, handling, and maintenance of all passwords at all Â鶹ÊÓƵÏÂÔØ (Â鶹ÊÓƵÏÂÔØ) institutions. Passwords must be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. These requirements ensure the consistent application of security controls necessary to safeguard the information and information technology resources of Â鶹ÊÓƵÏÂÔØ and its component institutions. Â鶹ÊÓƵÏÂÔØ aligns itself with cybersecurity best practices from organizations such as the National Institute for Standards and the Technology (NIST) and Center for Internet Security (CIS).
2. Scope
This policy applies to all passwords used to authenticate Â鶹ÊÓƵÏÂÔØ information technology (IT) resources or any IT system that stores Â鶹ÊÓƵÏÂÔØ data.
3. Audience
All Â鶹ÊÓƵÏÂÔØ community members - including students, faculty, staff, vendors, and external organizations with access to Â鶹ÊÓƵÏÂÔØ systems - are responsible for understanding and complying with this policy.
4. Policy Statement
4.1 Password Change Frequency
4.1.1 All passwords associated with Â鶹ÊÓƵÏÂÔØ accounts shall be forced to change if there is sufficient evidence of compromise or non-conformity with the policy.
4.1.2 Â鶹ÊÓƵÏÂÔØ community members shall be notified of the need to change their password.
4.1.3 Â鶹ÊÓƵÏÂÔØ community members with expired passwords shall be restricted from accessing Â鶹ÊÓƵÏÂÔØ information technology resources.
4.1.4 Administrator account passwords shall be changed every 365 days.
4.1.5 Accounts processing payment cards shall change passwords every 90 days.
4.2 Password Construction
4.2.1 Passwords shall:
- Be at least 15 characters long and may have a maximum length of 64 characters, unless the system supports longer passwords.
- Allow all printable ASCII characters, spaces, and Unicode characters.
- Be sufficiently different from previously used passwords and commonly known passwords.
- Be unique per account.
- Be unique for Â鶹ÊÓƵÏÂÔØ use.
4.2.2 Passwords shall NOT:
- Contain a user’s first name, last name, preferred name, username, or Â鶹ÊÓƵÏÂÔØ ID.
- Include common number or character sequences of four or more (e.g., "1234" or "abcd").
- Contain the same character repeated four or more times (e.g., "aaaa" or "1111").
- Be reused from previous passwords.
- Be on a known list of compromised or weak passwords.
4.3 Password Handling
4.3.1 Passwords shall:
- Be treated as restricted information.
- Not be written down or stored in clear text.
- Not be shared with anyone, including administrative assistants or supervisors.
- Not be shared in email, chat, or other unencrypted electronic communication.
- Not be transmitted in clear text.
- Not be spoken aloud.
4.3.2 Administrators of information technology resources who need to provide passwords to other administrators shall use secure communication mechanisms.
4.3.3 Â鶹ÊÓƵÏÂÔØ community members shall not use the "Remember Password" feature of web browsers to store Â鶹ÊÓƵÏÂÔØ passwords.
4.3.4 Members of Â鶹ÊÓƵÏÂÔØ Enterprise Technology & Services (ET&S) shall never ask users to provide their password for any Â鶹ÊÓƵÏÂÔØ account.
4.3.5 Service, Root, Recovery System account or equivalent passwords shall be stored in an enterprise password vault.
4.4 Forgotten and Reset Passwords
4.4.1 Forgotten passwords shall be reset using Â鶹ÊÓƵÏÂÔØ-approved processes.
4.4.2 Security questions or knowledge-based authentication (e.g., "What was your first pet’s name?") shall NOT be used for password resets.
4.4.3 Users unable to reset their password automatically shall verify their identity through Â鶹ÊÓƵÏÂÔØ-approved methods.
4.5 Compromised Passwords
4.5.1 Users shall report suspected password compromises to the Â鶹ÊÓƵÏÂÔØ Help Desk immediately.
4.5.2 If Â鶹ÊÓƵÏÂÔØ detects a potential password compromise, account access should be restricted, and steps shall be taken to secure the account until identity verification and password reset are completed.
4.5.3 Users with compromised passwords shall verify their identity before regaining access.
4.6 Rate Limiting
4.6.1 Â鶹ÊÓƵÏÂÔØ shall implement controls to protect against online guessing attacks.
4.6.2 Consecutive failed authentication attempts on a single account shall be limited to a maximum of 100 before requiring additional verification or lockout.
4.6.3 Consecutive failed authentication attempts on accounts attributed to users and systems that process payment cards shall be limited to 10 before lockout.
5. Enforcement
Failure to comply with this policy may result in disciplinary action in accordance with Â鶹ÊÓƵÏÂÔØ student conduct policies, personnel policies, or vendor contracts. The Â鶹ÊÓƵÏÂÔØ Chief Information Security Officer (CISO) or Chief Information Officer (CIO) may take necessary actions to mitigate security risks resulting from non-compliance.
6. Exceptions
Exceptions to this policy must be formally requested and approved according to the Â鶹ÊÓƵÏÂÔØ Cybersecurity Exception Standard.
7. Roles and Responsibilities
- Application Administrators: Ensure all application accounts comply with this policy.
- Chief Information Officer (CIO) and Chief Information Security Officer (CISO): Enforce and review the policy annually.
- Enterprise Technology & Services (ET&S):
- Send password expiration notifications.
- Reset invalid or compromised passwords per the Â鶹ÊÓƵÏÂÔØ Password Management Standard.
- Monitor Â鶹ÊÓƵÏÂÔØ systems for signs of compromise.
- Provide support for Â鶹ÊÓƵÏÂÔØ community members’ account and password-related questions.
- Â鶹ÊÓƵÏÂÔØ Community Members:
- Comply with all password security requirements.
- Maintain the confidentiality of Â鶹ÊÓƵÏÂÔØ passwords.
- Use unique passwords for every account.
- Report cybersecurity events or incidents such as a Â鶹ÊÓƵÏÂÔØ password suddenly not working without being changed by its owner.
8. Definitions
Refer to the NIST Glossary at
For questions, additional training, or policy violation reports, contact Â鶹ÊÓƵÏÂÔØ Cybersecurity Governance, Risk, & Compliance (GRC) via the Support Form.
