Password Security Standard

Purpose

This document establishes a standard for password creation and protection in order to mitigate compromise of sensitive or confidential information.

Scope

This security standard applies to all users (employees, contractors, vendors, and other parties) of Georgia Southwestern State University technology systems.

Standard

All passwords shall be constructed with the following characteristics:

  1. At least 10 characters in length
  2. Must contain characters from at least 3 of the following categories:
    1. English uppercase letters (A-Z)
    2. English lowercase letters (a-z)
    3. Base 10 digits (0-9)
    4. Non-alphanumeric characters (for example, !, $, #, %)
  3. Must not contain the user’s name or part of the user’s name
  4. Must not contain accessible or guessable personal information about the user (such as birthdays, children’s names, addresses, etc.)
  5. Must be significantly different from your previous four passwords

Once you have changed your password, you must wait one day (24 hours) before you can change it again.

All system-level passwords (e.g., root, enable, Windows admin, application administration accounts, etc.) shall be changed every 90 days. All user- level passwords (e.g., email, web, desktop computer, etc.) shall be changed every 180 days.

Temporary or “first-use” passwords may violate the above requirements, but must be changed by the user upon first logon.

Administrators are given authority to determine security of passwords that violate the above requirements if other measures are put in place, such as account lockout or password history.

All passwords should be treated as confidential information, and should not be shared with anyone, including but not limited to administrative assistants, system administrators, and helpdesk personnel.

Passwords shall not be stored in clear text. Cryptography shall be used when storing password information. Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.

User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.

If an account or password is suspected of being compromised, the incident must be reported to the appropriate access administrator or in accordance with local incident response procedures.