The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
The scope of this policy includes:
1) all personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Pittsburg State University facility 2) all individuals who have access to the PSU network, and 3) all systems that store any non-public PSU information.
General Policy Provisions
Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various resources at PSU, including user-level accounts, web accounts, email accounts, screen saver protection, and local switch logins.
A poorly chosen password may result in the compromise of University systems, data, or network. Therefore, all PSU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them. Contractors, vendors, and affiliated organizations with access to University systems also are expected to observe these requirements.
A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources. The Office of Information Services (OIS) can require a more restrictive policy in protection of confidential data.
Passwords created by users of University systems, and on systems where technology makes it possible, must conform to the following guidelines:
- Must be different than the user's login name or the reverse of the name and must avoid use of knowable personal information (names of family, etc.).
- Must be at least seven (7) characters.
- Must include digits (0-9).
- Must include both upper and lower case characters (a-z, A-Z).
- Must use a special character (for example,* & % $).
These provisions will be enforced electronically whenever possible.
Passwords must be changed every six (6) months. The new password must differ from the old password by at least three characters.
- Passwords should be treated as confidential university information.
- Passwords should never be written down or posted for reference.
- Passwords should not be included in email messages or other forms of electronic communication.
- Sharing or allowing another person to use an individual account password is a violation of this policy, unless the person is an information technology (IT) professional assisting you with a technical problem.
- Passwords should only be shared via phone, when necessary, for troubleshooting or technical assistance. However, users need to beware of "Phishing" or other social engineering scams where a user may have their password requested over the phone. University IT personnel, as a best practice, do not normally request a user's password over the phone. IT personnel will not ask for your password, unless you initiate a request for assistance with your account.
- OIS approval is required prior to sharing a password with a vendor (approval may be granted on a one-time or continuing basis), and this vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by OIS). Phone communications may be necessary with external information technology vendors.
- It is recommended that passwords be changed after allowing use as permitted in this section.
Group accounts are strongly discouraged and only allowed when other alternatives are not feasible. When group accounts are necessary, then strong account protection is required. The following OIS mandated protections apply.
- Group accounts must be pre-approved by OIS.
- Group accounts will be audited regularly to ensure ownership is current, the account is still necessary, and account agreements are renewed.
- To prevent unauthorized access to a group account, the password must be changed ever time there is a change in personnel.
Reporting Password Compromises
- Suspected compromises of passwords must be reported immediately to OIS at 4603.
- The password in question should be changed immediately.
- OIS may require a more restrictive policy, such as stronger passwords, in some circumstances.
- OIS may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, OIS will promptly notify the listed contact and require that the password be changed.
Any individual who violates this policy may lose computer or network access privileges and may be subject to disciplinary action in accordance with and subject to appropriate University policy and procedures.
Responsible Office: Office of Information Services
Approved by Information Technology Council: October 26, 2005
Signed by President Tom Bryant: October 28, 2005
Effective: January 1, 2006
Review Cycle: Annual