Administrative Overview

Academic Policies

Administrative Policies

Employee Policies


SUNY Plattsburgh
NetID Password Policy

Approved by Executive Council on March 14, 2008

Relevant NYS Laws/Standards
 

  • From "Information Security Practices Recommended by New York State(Current State of Standards), Version September 14, 2006," Ted.Phelps@suny.edu. Derived from" Cyber Security Policy P03-002, Information Security Policy," New York State Office of Cyber Security & Critical Infrastructure Coordination

    1.27 Give the Security Administrators administrative responsibility over all user-IDs and passwords and the associated processes for reviewing, logging, implementing access rights, emergency privileges, exception handling, and reporting requirements.

    2.45 Associate each user-ID with an authentication token, such as a password, which is used to authenticate the person accessing the data, system, or network.

    2.48 Hold each authorized user responsible to reasonably protect against unauthorized activities performed under his or her user-ID including not sharing passwords or other tokens or mechanisms used to uniquely identify individuals.

 

  • Public Officers' Law, Section 74
    New York State Ethics Commission
     
  • 3.c No officer or employee of a state agency, member of the legislature or legislative employee should disclose confidential information acquired by him in the course of his official duties nor use such information to further his personal interests.

    4. Violations. In addition to any penalty contained in any other provision of law any such officer, member or employee who shall knowingly and intentionally violate any of the provisions of this section may be fined, suspended or removed from office or employment in the manner provided by law. Any such individual who knowingly and intentionally violates the provisions of paragraph b, c, d or i of subdivision three of this section shall be subject to a civil penalty in an amount not to exceed ten thousand dollars and the value of any gift, compensation or benefit received as a result of such violation...
     

Definitions:
 

Sensitive or Personal Information: Sensitive information includes any data items, which through loss, unauthorized access, or modification could: adversely affect the institution; violate international, federal, state, or local laws; compromise the privacy of individuals; or are any items explicitly defined by the institution as confidential or internal-use only.

Average Systems: Systems where users only have access to read and update only their information or do not have access to sensitive information about others.

High-Security Systems: Systems where users have been designated as having access to sensitive or personal information. As such, these users will be subject to more rigorous security requirements.

Accounts/Authentication System: For purpose of this document, an "account" will refer to one source of authentication, typically a username/password pair. Many systems may share a common account or authentication system. For example, SUNY Plattsburgh's NetID is just such an account used to access ANGEL, email, and other services. Some systems, such as Banner Forms, may choose to use a unique account specific only to that system.

Leet-Speak: Or "l33t-sp34k." The practice of substituting letters with numbers that bear some resemblance to them. For example, a "3" for an "E" or a "4" for an "A." This can be used as an effective means of creating a password that is meaningful to the user but that also complies with complexity guidelines.
 

Account Usage Guidelines (All Systems/All Users)
 

It is the responsibility of all users to ensure that do nothing to allow compromise or unauthorized access to their accounts or information and services available through such accounts. As such, users:

  • should select an appropriately complex or strong password for each account they have (see guidelines below);
  • must follow the "Responsible Use of Technology Resources at Plattsburgh State University of New York policy which requires that "users will use only the unique account assigned" and that "users will not share their account with others";
  • and must not use the same password they have selected for use on SUNY Plattsburgh systems for systems used on other commercial or private systems.
     

Password Complexity
 

In choosing an appropriately complex password, users should consider the following in addition to the specific requirements detailed in the next sections.

Avoid using in a forward or backward sequence any of the following:
 

  • words found in the dictionary;
  • people, pet, or place names like "John," "Smith," "Rover," or "Plattsburgh;"
  • any personal information that may be commonly known or easily discovered: address, phone number, birthday, hobbies, other screen names, etc.;
  • repeated characters, such as AAA or 999;
     
  • alphabetic sequences, such as abc or ABC;
  • number sequences, such as 123;
  • keyboard sequences, such as QWERTY, ASDF, etc.
     

Consider using these:

  • passwords constructed from phrases or by combining words;
  • when using words, drop vowels or replace with numbers (leet speak);
  • or uncommon acronyms derived from a combination of letters, numbers, and other characters.

The degree of password complexity for any system is assigned at the discretion of the system's System Managers or Security Administrators.
 

Password Complexity Requirements (Average Systems)
 

  • Passwords must be at least 8 characters long.
  • Passwords must contain characters from at least three of the following four categories:
    1. Uppercase characters (A-Z)
    2. Lowercase characters (a-z)
    3. Base 10 digits (0-9)
    4. Non-alphanumeric characters (For example, !, @, #, $, %, ^, &, *)
  • The password cannot contain the username, even in leet-speak.
  • All users must set a security question via Banner
     

Password Complexity Requirements (High-Security Systems)
 

  • Passwords must be at least 12 characters long.
  • Passwords must contain characters from at least three of the following four categories:
    1. Uppercase characters (A-Z)
    2. Lowercase characters (a-z)
    3. Base 10 digits (0-9)
    4. Non-alphanumeric characters (For example, !, @, #, $, %, ^, &, *)
  • The password cannot contain the username, even in leet-speak.
  • All users must set a security question via Banner.
     

Password Change Frequency (All Systems)
 

After selecting an adequately complex or strong password, users of such systems are not required to change their passwords at any specific frequency, though they are encouraged to do so every 90-180 days. System Managers or Security Administrators of individual systems may opt to require password changes (expiration) at a specific interval with sufficient notification to users of those systems. Users desiring additional security may, at their discretion, change their passwords more frequently.
 

Account Lockout Procedures (Average System)
 

If a password is entered incorrectly 25 times in a row, the account will be locked for a period of 30 minutes. The relatively high retry count accommodates commercial software clients (programs) that often perform multiple retries on a single password entry. System Managers or Security Administrators will receive notification of each login failure and/or lockout incident and review available logs for evidence of unauthorized access.
 

Account Lockout Procedures (High-Security Systems)
 

If a password is entered incorrectly three times in a row, the account will be disabled and must be enabled by a security administrator. System Managers or Security Administrators will receive notification of each login failure and/or lockout incident and review available logs for evidence of unauthorized access.
 

Password Reset Procedures
 

In most situations, it is strongly encouraged that passwords resets be done by the user themselves using online forms or in person following the appropriate procedures listed in sections below. In addition to those procedures, special consideration must be given to individual branch campus, distance learning, and online students or those who simply are incapable of coming to campus in person for a password reset. Passwords for individuals who find themselves in those situations can only be reset by a System Manager, the Helpdesk Coordinator, or one of their assistants. The following information will need to be provided by the individual over the phone or in an email:

  • Birth date
  • Home address (on file)
  • Home phone (on file)

 

Password Reset Procedures (Average Systems)
 

System Managers or Security Administrators, as well as staff at the Computing & Media Services Helpdesk and Feinberg Computer Lab service desk and in Computing Information Systems in Kehoe, are able to reset passwords. The Registrar and Alumni offices may also reset passwords for Students and Alumni, respectively. All parties resetting passwords must follow this protocol when resetting a password:

  • In all cases, users should be encouraged to reset the passwords themselves using the online web form.
  • If a user cannot do a self-reset for whatever reason, a College ID must be presented and verified for a password to be reset. Verification is done by checking the ID against Banner data or other databases that list active IDs.
  • If no College ID is available, the user's birth date may be used as verification data, along with some other form of picture ID.
  • If a picture ID is not available, the user's birth date and last four digits of their Social Security number may be used as verification data.
  • If possible, no information provided by the user should be written down or communicated to the staff resetting the password. The user should be directed to type in all information themselves or to do a self-reset via a web form.
  • If possible, the user should be directed to change the password to a different one immediately after the rest is complete.
     

The password will be set to its default (the last 4 digits of the Social Security Number, followed by the first four letters of the last name in capital letters).

Passwords may be reset without verification by CMS systems management staff, the Helpdesk Coordinator, and the Computer Information Systems coordinator.
The user should receive an email confirming each reset request asking them to contact appropriate administrators with concerns. The appropriate System Managers or Security Administrators should appoint staff to review reset logs for evidence of unauthorized access. The staff reviewing the logs should not be the staff who perform the resets.
 

Password Reset Procedures (High-Security Systems)
 

System Managers or Security Administrators of high-security systems alone can reset such passwords. Requests will be made in person to the security administrators of these systems.
 

Access to Account Information and Stored Passwords or Password Data
 

Account information, including passwords, are considered private and the property of the user. Passwords are one-way encrypted in the system database and are not human-readable. Default passwords are provided to System Managers or Security Administrators by Computer Information Systems, and are stored in unencrypted format in the CMS database server for use when resetting passwords. System Managers, Security Administrators, and professional Helpdesk technicians have access to these stored passwords, and will access them, with notification to the user, for the following purposes:

  • creating new accounts on systems;
  • as part of a troubleshooting procedure, network registration or new computer upgrade/placement (at the user's request);
  • when a user does a self-reset and the default password will not log user into their account(s);
  • when a System Manager, Security Administrator or Helpdesk technician processes a password reset and the default password will not log user into their account(s);
  • to stabilize the account it will be done by System Managers or Security Administrators without request if the user's account or its contents are causing problems for other accounts on the system or the system itself;
  • to secure the account it will be done by System Managers or Security Administrators without request if there is reasonable evidence to assume the user's account has been compromised;
  • Or to respond to subpoena or court order, only under the approval of the Dean of Library and Information Services and/or appropriate administrative personnel or counsel.
     

Lists or files containing default password information should not be printed out, copied to other computer systems, or copied to any portable media other than for system backup purposes.

At no time should a System Manager, Security Administrator, Helpdesk technician, or other staff member ask a user to disclose their password in person, over the phone, in an email, or via any medium other than a secure password screen verifiably hosted by this campus. This is to avoid encouraging behaviors that would make it more likely that users would fall victim to Phishing attempts or other social engineering methods.

Should a password need to be disclosed by a System Manager, Security Administrator, Helpdesk technician, or other staff member to a user in person or over the phone, the person's identity should first be verified using methods described in the "Password Reset Procedures (Average Systems)" section of this document. If possible, usernames or account names and passwords should not be communicated via email. However, in cases where this becomes necessary, the username or account name and password should not be sent in the same message.
 

Contact Information

For more information about Administrative Policies approved by Executive Council, please contact:

Sean Brian Dermody
Assistant to the Vice President for Administration
Management Services Office
Office: Kehoe 710-11
Phone: (518) 564-2539
Fax: (518) 564-2540
Email: dermodsb@plattsburgh.edu