This procedure defines standards for creation of strong passwords, their protection, and required frequency of change.
The procedure applies to all individuals who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any College facility, has access to the College network, or stores any non-public College information.
All College users such as students, faculty, and employees (including contractors and vendors with access to College systems) are responsible for taking the appropriate steps, as outlined below to select and secure their passwords. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the College's entire computer network.
Standards for Creating Strong Passwords
All user-level and system-level passwords must conform to the College's Guidelines for Construction of Strong Passwords, described below.
Guidelines for Construction of Strong Passwords
Passwords are used for various purposes at the College. Some of the more common uses include: user level accounts, web accounts, email accounts and Jenzabar logins. Since it is very easy to guess or crack certain types of passwords, everyone should be aware of how to select strong passwords.
Users must construct strong password characteristics:
- Contain at least one upper case letter, one lower case letter, one numeric digit
- Must be at least eight alphanumeric character length
- Use of a punctuation character letter is not required but strongly encouraged to enhance the strength of the passwords integrity.
Virtual Private Network (VPN) means connecting to the College’s network from off-site. VPN password’s must:
- Contain at least one upper case letter, one lower case letter, one numeric digit and one special character
- Must be at least twenty-five alphanumeric character length
Users must avoid poor, weak passwords with any these characteristics:
- A word found in a dictionary (English or foreign)
- A common usage word (Password, 123456789, Qwerty, etc)
A suggested way to create a password is to devise a mnemonic on a song, book title, or other phrase.
Standards for Password Protection
All passwords are to be treated as sensitive, confidential -college information. Certain passwords must be changed on a regular basis (see Standards for Frequency of Changing Passwords).
Passwords MUST remain confidential. Users must NEVER:
- reveal a password in an email message, instant message, or other forms of electronic communication
- share a password:
- over the phone
- on questionnaires or security forms
- with other employees or students, supervisors, administrative assistants, student workers, friends, or family members
- or talk about a password in front of others including to hint at the format of a password (e.g., “my family name”)
- write down passwords and store them anywhere in your office or room
- store passwords in a file on any computer system without encryption
- Use the same password for college accounts as for non-College access (e.g., personal e-mail account, electronic banking, social media accounts, benefits, etc.)
No College student or employee should ever make a request to another member of the community for their password. If someone demands a password for a college computer or account, please refer them to this procedure, or have them contact the College’s Support Center.
If an account or password is suspected to have been compromised, report the incident by contacting the Support Center and then change ALL of your passwords as soon as possible.
Standards for Frequency of Changing Passwords
- Users must change passwords at a frequency of 180 days, unless otherwise directed by Information Services.
- When possible, college computer systems will be programmed to notify users in advance that passwords are due to expire and will prompt the users to select new passwords.
- Special incidents (security breach, data compromise, etc.) may require users to change passwords in accordance with instructions from Information Services employees.
Password requests will be reset by phone or in person by contacting the Support Center. When requesting a password reset, individuals will be asked a set of security questions to verify the identity of the person requesting the action. The most recent password may not be reused.
New accounts will have a password set by an Information Services employee. The user will be required to change this password upon their first login to the associated system.