Skip to:

Office of General Counsel Policies & Guidelines

Password Management : G-051

Policy/Guideline Area

General Guidelines

Applicable Divisions

TCATs, Community Colleges, Universities, System Office, Board Members

Purpose

The purpose of this guideline is to establish a minimum expectation with respect to password construct in order to protect data stored on computer systems throughout the system.

Policy/Guideline

  1. Policy
    1. A combination of a personal user login ID for identification and a unique password for authentication will be required of all users before they are allowed access institutional networks and systems.
    2. Passwords will be used for authentication of access to all institutional network and systems except where stronger authentication methods (such as biometric authentication or two-factor authentication) are deemed necessary.
    3. The effectiveness of passwords to protect access to the institution’s information directly depends on strong construction and handling practices.
  2. Password Construction
    1. All users must construct strong passwords for access to all institution networks and systems, using the following criteria where technically feasible:
      1. Must be a minimum of 8 characters in length.
      2. Must be composed of a combination of at least three of the following four types of characters:
        1. Upper case alphabetic character;
        2. Lower case alphabetic character;
        3. Numeric character;
        4. Non-alphanumeric character
      3. Or, as an alternative:
        1. A pass phrase of a minimum of 14 characters.
  3. Password Management
    1. The following requirements apply to end-user password management.
      1. Storage and Visibility
        1. Passwords must not be stored in a manner which allows unauthorized access.
        2. Passwords will not be stored in a clear text file.
        3. Passwords will not be sent via unencrypted e-mail.
      2. Changing Passwords
        1. Users must change their passwords at least every 365 days.
          1. Student accounts are excepted from this requirement.
        2. Users who process or access restricted data (such as protected health information, student FERPA data, and Social Security Numbers or other personally identifiable information) should change their passwords at least every 120 days.
        3. Users with privileged accounts (such as those with root or administrator level access) must change their passwords at least every 120 days.
        4. Passwords must be changed immediately if any of the following events occur:
          1. Unauthorized password discovery or usage by another person;
          2. System compromise (unauthorized access to a system or account);
          3. Insecure transmission of a password;
          4. Accidental disclosure of a password to an unauthorized person; or
          5. Status changes for personnel with access to privileged and/or system accounts.
  4. Password Protection – System Accounts
    1. System Accounts can be defined as:
      1. Accounts used for automated processes without user interaction.
      2. Accounts used for device management.
    2. System Accounts are not required to expire but must meet the password construction requirements above.
    3. Vendor provided passwords must be changed upon installation using the password construction requirements above.
  5. Compliance and Enforcement
    1. The policy applies to all users of information resources including students, faculty, staff, temporary workers, vendors, and any other authorized users.
    2. Persons in violation of this policy are subject to a range of sanctions determined and enforced by the individual institutions.
    3. Justifications for exceptions to this policy must be documented by the institution.

Sources

NEW Guideline approved at Presidents Meeting, August 19, 2014, effective September 26, 2014.

Related Policies

Contact

Mickey Sheen
615-366-4437
mickey.sheen@tbr.edu