߲ݴý Computer Account Management Account Password Policy
|
Policy title
߲ݴý Computer Account Management Account Password Policy
|
Category
Administration
Human Resources
Information Technology
|
|
Owner
CS/IT
|
Approved by
Administrative Council
|
Individual computer accounts are at the foundation of ߲ݴý University’s data security and data access control strategy. ߲ݴý provides all faculty, staff and students with individual computer accounts. These accounts allow access to a wide variety of computing resources and are used to provide granular control over the access granted to institutional services and data. Account credentials, i.e. username and password, secure user access to these accounts.
This policy provides guidance for assuring that ߲ݴý account passwords comply with appropriate security standards.
This policy applies to all ߲ݴý accounts provided to faculty, staff, students, contractors and volunteers and impacts all systems and services requiring authentication via user ߲ݴý account credentials.
Exceptions to this policy may be authorized only by the Director of Information Services Infrastructure with the advice and recommendation of the ߲ݴý Unix Systems Administrator and the express approval of the Vice President for Finance and Administration.
߲ݴý Account Password Requirements
߲ݴý account passwords must comply with the following structural requirements:
- Passwords are case sensitive.
- Minimum password length is 12 characters
- Maximum password length is 28 characters
- Passwords must include at least one character from each of these character types:
- Upper case letters
- Lower case letters
- Numerals
- Passwords MAY contain symbols, but limited to the following six (6) ! . , / ~ =
- Other symbols or spaces MAY NOT be included.
In addition, your ߲ݴý account password(s) should not contain your ߲ݴý username, common dictionary words, common phrases or references (for example, “PrairieWolf” or “GoBigRed”) or use the same character three or more times consecutively.
CSIT will conduct periodic password security audits to test the strength of ߲ݴý account passwords and will notify account holders of any passwords determined to be too weak.
߲ݴý Account Password Aging
߲ݴý account passwords may remain in use no longer than 120 days. Seven days prior to the expiration of the 120-day limit, ߲ݴý account holders will receive email reminders that their account password must be changed. Reminders will continue until the account password has been changed.
If an account password has not been changed prior to the end of the 120-day period, the user account will be locked and login will be prohibited. The account will be required to reset the account password to regain access to the account.
߲ݴý account password resets and password changes should be performed through links on the CSIT web site at .
Review
This policy shall be reviewed at least annually or as required to assure consistent application to any new services or resources.