Policy Name: Password Policy
Policy Purpose: The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password changes.
Scope: The scope of this policy includes:
1) All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Pittsburg State University facility
2) All individuals who have access to the PSU network, and
3) All systems (where enforcement is possible) that store any non-public PSU information.
General Policy Provisions
Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various resources at PSU, including user-level accounts, web accounts, email accounts, screen saver protection, and local switch logins.
A poorly chosen password may result in the compromise of University systems, data, or network. Therefore, ALL PSU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them. Contractors, vendors, and affiliated organizations with access to University systems also are expected to observe these requirements.
A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources. The Office of Information Services (OIS) can require a more restrictive policy in protection of confidential data.
Passwords created by users of University systems, and on systems where technology makes enforcement possible, must conform to the following guidelines:
- Must be different than the user’s login name or the reverse of the name and must avoid use of identifiable personal information (names of family or pets, birthdates, etc.)
- Must be at least seven (7) characters
- Must include digits (0-9)
- Must include both upper and lower case characters (a-z, A-Z)
- Must use a special character (for example,* & % $)
These provisions will be enforced electronically whenever possible.
- Passwords must be changed twice a year. This procedure is in line with industry standards and with the other regent universities.
- The new password must differ from the old password by at least three characters.
- All default passwords shall be changed to meet the current password requirements. No default passwords shall remain in effect after the required initial usage. Default passwords include passwords that are supplied with vendor hardware or software or passwords that are system generated.
- Passwords should be treated as confidential University information.
- Passwords should never be written down or posted for reference.
- Passwords should not be included in email messages or other forms of electronic communication.
- Sharing or allowing another person to use an individual account password is a violation of this policy, unless the other person is an information technology (IT) professional assisting the user with a technical problem.
- OIS approval is required prior to sharing a password with a vendor (approval may be granted on a one-time or continuing basis), and this vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by OIS). Phone communications may be necessary with external information technology vendors.
- It is recommended that passwords be changed after allowing use as permitted in this section.
Group accounts are ID’s and passwords that are shared between a specific group of people. Group accounts are strongly discouraged and only allowed when other alternatives are not feasible. When group accounts are necessary, then strong account protection is required. The following OIS mandated protections apply:
- Group accounts must be pre-approved by OIS. Please email ITSecurity@pittstate.edu to make your group account request.
- Group accounts will be audited regularly to ensure ownership is current, the account is still necessary, and account agreements are renewed.
- To prevent unauthorized access to a group account, the password must be changed every time there is a change in personnel.
Reporting Password Compromises
The password in question should be changed immediately.
- OIS may require a more restrictive policy, such as stronger passwords, in some circumstances.
- OIS may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, OIS will promptly notify the listed contact and require that the password be changed.
Any individual who violates this policy may lose computer and/or network access privileges and may be subject to remediation and/or disciplinary action in accordance with and subject to appropriate University policy and procedures.
Responsible Office: Office of Information Services
Approved by Information Technology Council: March 14, 2013
Signed by President Steve Scott:
Effective: January 1, 2006
Review Cycle: Annual