Pittsburg State University (PSU)

Information Technology Policy

Policy Name:  Password Policy

Policy Purpose:  The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.

Scope:  The scope of this policy includes:
1) all personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Pittsburg State University facility 2) all individuals who have access to the PSU network, and 3) all systems that store any non-public PSU information.

Related Policies: Security Policy

General Policy Provisions

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various resources at PSU, including user-level accounts, web accounts, email accounts, screen saver protection, and local switch logins.

A poorly chosen password may result in the compromise of University systems, data, or network.  Therefore, all PSU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them.  Contractors, vendors, and affiliated organizations with access to University systems also are expected to observe these requirements.

A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources.  The Office of Information Services (OIS) can require a more restrictive policy in protection of confidential data.      

Password Creation

Passwords created by users of University systems, and on systems where technology makes it possible, must conform to the following guidelines:

• Must be different than the user’s login name or the reverse of the name and must avoid use of knowable personal information (names of family, etc.).
• Must be at least seven (7) characters.
• Must include digits (0-9).
• Must include both upper and lower case characters (a-z, A-Z).
• Must use a special character (for example,* & % $).

These provisions will be enforced electronically whenever possible.

Changing Passwords

Passwords must be changed every six (6) months. The new password must differ from the old password by at least three characters.

Protecting Passwords

• Passwords should be treated as confidential university information.
• Passwords should never be written down or posted for reference.
• Passwords should not be included in email messages or other forms of electronic communication. 

Sharing Passwords

• Sharing or allowing another person to use an individual account password is a violation of this policy, unless the person is an information technology  (IT) professional assisting you with a technical problem.
• Passwords should only be shared via phone, when necessary, for troubleshooting or technical assistance.   However, users need to beware of “Phishing” or other social engineering scams where a user may have their password requested over the phone.  University IT personnel, as a best practice, do not normally request a user’s password over the phone. IT personnel will not ask for your password, unless you initiate a request for assistance with your account.
• OIS approval is required prior to sharing a password with a vendor (approval may be granted on a one-time or continuing basis), and this vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by OIS).  Phone communications may be necessary with external information technology vendors.
• It is recommended that passwords be changed after allowing use as permitted in this section.

Group Accounts

Group accounts are strongly discouraged and only allowed when other alternatives are not feasible.  When group accounts are necessary, then strong account protection is required.  The following OIS mandated protections apply.

• Group accounts must be pre-approved by OIS.
• Group accounts will be audited regularly to ensure ownership is current, the account is still necessary, and account agreements are renewed.
• To prevent unauthorized access to a group account, the password must be changed ever time there is a change in personnel.
  

Reporting Password Compromises

• Suspected compromises of passwords must be reported immediately to OIS at 4603.
• The password in question should be changed immediately.

OIS Responsibilities

• OIS may require a more restrictive policy, such as stronger passwords, in some circumstances.
• OIS may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, OIS will promptly notify the listed contact and require that the password be changed.

Consequences

Any individual who violates this policy may lose computer or network access privileges and may be subject to disciplinary action in accordance with and subject to appropriate University policy and procedures, which may result in a range of sanctions up to and including suspension or dismissal for repeated or serious infractions.   

Responsible Office:  Office of Information Services

Approved by Information Technology Council:  October 26, 2005

Signed by President Tom Bryant:  October 28, 2005

Effective:  January 1, 2006

Review Cycle:  Annual