On April 21, 2010, DoIT began implementing strong password requirements to protect the University's data and systems.
Information Systems Access Policy (DoIT 01 01)
- Must consist of a minimum of eight (8) characters
- Must contain at least one character from three (3) of the following four (4) categories:
- Uppercase letters (Examples: A, B, C, D, E)
- Lowercase letters (Examples: a, b, c, d, e)
- Digits (Examples: 1, 2, 3, 4, 5)
- Symbols (Examples: ~, !, @, #, $, %, ?)
- Shall not contain more than two (2) consecutive letters from the full name or username
- Shall not contain dictionary words or abbreviations
- Shall not contain dictionary words or abbreviations modified by substituting special characters or digits for letters
When to change passwords
- Whenever there is a change that the password or the system could be compromised.
- Whenever the password may have been revealed to an unauthorized party.
Click here to change your password
- Do not reuse the same passwords until a minimum of six additional distinct passwords has been used
- Minimum password age: five (5) days
- Do not use the passwords used on university systems on external, non-university systems
- Do not store passwords in Web browsers or other applications
- Do not write down or email passwords
Other requirements for specific accounts
Typical user accounts
- Expirations: Every ninety (90) days for ordinary accounts
- Account lockout: After five (5) failed authentication attempts for ordinary accounts
User accounts with system privileges
- Expirations: Every thirty (30) days for those with system privileges beyond a typical user account on the system
- Account lockout: After three (3) failed authentication attempts for those with system privileges
- Passwords shall be different from all other passwords for accounts used by the user.
Service accounts (an account created by system administrators or vendors for automated use by an application, operating system or network device)
- Change passwords 1) at least every 180 days; 2) promptly following the separation of any employee with access to the password.
- Passwords shall not be configured to automatically expire.
Accounts for visitors, contractors and other third parties
- Passwords shall not be disclosed to these parties until such time as they are needed.
- Passwords shall be immediately changed upon completion of access purpose.
Alumni accounts may be exempt for password-reset requirements if those accounts do not provide access to protected or sensitive data.
Monday, November 21, 2011