º£½ÇÂÛ̳

Password Policy

Approved by President/Provost
4/8/2020
Review again
4/8/2025

Policy Contact
ITS Security and Client Computing
(607) ­436-­3203

Policy Statement

This policy outlines password management requirements for º£½ÇÂÛ̳ user accounts.

Rationale

Passwords are a common means of authenticating a user’s identity when accessing information systems. Password standards need to be implemented to ensure all authorized individuals accessing º£½ÇÂÛ̳ resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.

Applicability of the Policy

This policy applies to all º£½ÇÂÛ̳ faculty, staff, students, and all other users of relevant information systems.

Policy Elaboration

To ensure proper password management, the following password standards will be implemented where technically feasible:
  • Password cannot be the same as user-id, or contain a portion of the user’s name
  • Password length minimum of 12 characters
  • Where technically possible, user password selections will be checked against a prohibited list of known common passwords
  • Cannot use a password equal to any of the account’s last twenty-five (25) passwords
  • Account lockout after detection of suspicious login attempt behavior
  • Account lockout duration – 15 minutes, or until reset by authorized person
  • Passwords should not be written down
  • User account passwords must be kept confidential – they must not be shared with another user
  • Accounts created for shared purposes (club accounts, office accounts, etc.) must have their passwords changed at the end of each academic year, or when a member with knowledge of the password leaves the organization.
  • Temporary passwords must be changed at the first login
  • A password reset will be forced in the case of a detected behavior suggesting possible account compromise
  • A user who requests a password reset must be have their identity verified before the request is granted

Definitions

Suspicious login attempt behavior - Login attempt patterns identified by ITS Security and Client Computing as indicators of attempted compromise. For example, excessive failed login attempts in a given time frame that would suggest a brute-force attempt to guess an account password.

Contacts

Questions related to the daily operational interpretation of this policy should be directed to:

ITS Security and Client Computing
(607) ­436-­3203

Effective Dates

Approved by the President/Provost on 4/8/2020

Back to top