NetID Password Policy
Details the responsibilities of all users to maintain the integrity of their accounts and prevent unauthorized access.
Policy Information
Policy Number | Policy Owner |
---|---|
10016.1 | Information Technology Services |
- 1.0 Purpose
- 2.0 Revision History
- 3.0 Units and Persons Affected
- 4.0 Policy
Account Usage Guidelines (All Systems/All Users)
It is the responsibility of all users to ensure that do nothing to allow compromise or unauthorized access to their accounts or information and services available through such accounts. As such, users:
- should select an appropriately complex or strong password for each account they have (see guidelines below);
- must follow the Responsible Use of Technology Resources at Plattsburgh State University of New York policy which requires that "users will use only the unique account assigned" and that "users will not share their account with others" (see Appendix);
- and must not use the same password they have selected for use on SUNY Plattsburgh systems for systems used on other commercial or private systems.
Password Complexity
In choosing an appropriately complex password, users should consider the following in addition to the specific requirements detailed in the next sections.
Avoid using in a forward or backward sequence any of the following:
- words found in the dictionary;
- people, pet, or place names like "John," "Smith," "Rover," or "Plattsburgh;"
- any personal information that may be commonly known or easily discovered: address, phone number, birthday, hobbies, other screen names, etc.;
- repeated characters, such as AAA or 999;
- alphabetic sequences, such as abc or ABC;
- number sequences, such as 123;
- keyboard sequences, such as QWERTY, ASDF, etc.
Consider using these:
- passwords constructed from phrases or by combining words;
- when using words, drop vowels or replace with numbers (leet speak);
- or uncommon acronyms derived from a combination of letters, numbers, and other characters.
The degree of password complexity for any system is assigned at the discretion of the system's System Managers or Security Administrators.
Password Complexity Requirements (Average Systems)
- Passwords must be at least 8 characters long.
- Passwords must contain characters from at least three of the following four categories: 1. Uppercase characters (A-Z) 2. Lowercase characters (a-z) 3. Base 10 digits (0-9) 4. Non-alphanumeric characters (For example, !, @, #, $, %, ^, &, *)
- The password cannot contain the username, even in leet-speak.
- All users must set a security question via Banner
Password Complexity Requirements (High-Security Systems)
- Passwords must be at least 12 characters long.
- Passwords must contain characters from at least three of the following four categories: 1. Uppercase characters (A-Z) 2. Lowercase characters (a-z) 3. Base 10 digits (0-9) 4. Non-alphanumeric characters (For example, !, @, #, $, %, ^, &, *)
- The password cannot contain the username, even in leet-speak.
- All users must set a security question via Banner.
Password Change Frequency (All Systems)
After selecting an adequately complex or strong password, users of such systems are not required to change their passwords at any specific frequency, though they are encouraged to do so every 90-180 days. System Managers or Security Administrators of individual systems may opt to require password changes (expiration) at a specific interval with sufficient notification to users of those systems. Users desiring additional security may, at their discretion, change their passwords more frequently.
Access to Account Information and Stored Passwords or Password Data
Account information, including passwords, are considered private and the property of the user. Passwords are one-way encrypted in the system database and are not human-readable. Default passwords are provided to System Managers or Security Administrators by Computer Information Systems, and are stored in unencrypted format in the CMS database server for use when resetting passwords. System Managers, Security Administrators, and professional Helpdesk technicians have access to these stored passwords, and will access them, with notification to the user, for the following purposes:
- creating new accounts on systems;
- as part of a troubleshooting procedure, network registration or new computer upgrade/placement (at the user's request);
- when a user does a self-reset and the default password will not log user into their account(s);
- when a System Manager, Security Administrator or Helpdesk technician processes a password reset and the default password will not log user into their account(s);
- to stabilize the account it will be done by System Managers or Security Administrators without request if the user's account or its contents are causing problems for other accounts on the system or the system itself;
- to secure the account it will be done by System Managers or Security Administrators without request if there is reasonable evidence to assume the user's account has been compromised;
- Or to respond to subpoena or court order, only under the approval of the Director of Information Technology Services and/or appropriate administrative personnel or counsel.
Lists or files containing default password information should not be printed out, copied to other computer systems, or copied to any portable media other than for system backup purposes. At no time should a System Manager, Security Administrator, Helpdesk technician, or other staff member ask a user to disclose their password in person, over the phone, in an email, or via any medium other than a secure password screen verifiably hosted by this campus. This is to avoid encouraging behaviors that would make it more likely that users would fall victim to Phishing attempts or other social engineering methods. Should a password need to be disclosed by a System Manager, Security Administrator, Helpdesk technician, or other staff member to a user in person or over the phone, the person's identity should first be verified using methods described in the "Password Reset Procedures (Average Systems)" section of this document. If possible, usernames or account names and passwords should not be communicated via email. However, in cases where this becomes necessary, the username or account name and password should not be sent in the same message.
- 5.0 Definitions
- 6.0 Responsibilities
- 7.0 Procedures
- 8.0 Forms
- 9.0 Appendix
- 10.0 Distribution and Training
For additional information about this policy, please contact the Policy Owner listed above.