This document establishes a standard for password creation and protection in order to mitigate compromise of sensitive or confidential information.
This security standard applies to all users (employees, contractors, vendors, and other parties) of Georgia Southwestern State University technology systems.
Passwords for accounts that access systems with a security categorization of Moderate or higher (as specified in Section 5.6.3 of the USG IT Handbook) must be constructed with the following characteristics:
- At least 10 characters in length
- Must contain characters from at least 3 of the following categories:
- English uppercase letters (A-Z)
- English lowercase letters (a-z)
- Base 10 digits (0-9)
- Non-alphanumeric characters (for example, !, $, #, %)
- Must not contain the user’s name or username
- Must not contain accessible or guessable personal information about the user (such as birthdays, children’s names, addresses, etc.)
- Must be different from your previous four passwords
All system-level passwords (e.g., root, enable, Windows admin, application administration accounts, etc.) shall be changed every 90 days. All user- level passwords (e.g., email, web, desktop computer, etc.) shall be changed every 180 days. This rule applies only to systems with a security categorization of Moderate or higher.
Temporary or “first-use” passwords may violate the above requirements, but must be changed by the user upon first logon.
Administrators are given authority to determine security of passwords that violate the above requirements if other measures are put in place, such as account lockout or password history.
All passwords should be treated as confidential information, and should not be shared with anyone, including but not limited to administrative assistants, system administrators, and helpdesk personnel.
Passwords shall not be stored in clear text. Cryptography shall be used when storing password information. Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.
User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.
If an account or password is suspected of being compromised, the incident must be reported to the appropriate access administrator or in accordance with local incident response procedures.