Franklin & Marshall College Franklin & Marshall College

Password Policy

 Scope

The purpose of this policy is to establish a standard for the creation of strong passwords and the protection of those passwords across Franklin & Marshall (F&M). At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time.


Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available. Information about how to change your unified password is found on the account management page at password.fandm.edu Just log in and follow the directions.

Audience

This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.

Policy Maintenance

The College Information Technology Committee will review this policy on an annual basis. All revisions will be presented to the Chief Information Officer (CIO) for approval.

Policy Statement

Passwords are a critical aspect of information security; they are the front line of protection for user accounts. A poorly chosen password may result in the compromise of F&M's entire campus network. Therefore, all F&M users are responsible for taking the appropriate precautions while selecting and securing their passwords.

Access Control

All access to systems must be controlled by an authentication method involving a minimum of a Username/Password combination. The Username/Password combination must provide verification of the user's identity.

Initial Passwords

To the extent feasible, new users will be forced by the system they are accessing to change their initial password to one that meets Password standards. Initial passwords must not be easily associated with F&M or the user (e.g., social security number, employee number, address, numerical equivalent of name). Passwords must not contain words from a dictionary, movie, geographical location, or mythology. Also, passwords should not be based upon month/year combinations such as "jan00" or "april2000".

Password Age

As of September 2009, users should be required change passwords every one hundred eighty (180) days. System administrators shall enforce this through technical means by deploying password aging on systems. Users will not use cyclical passwords. For example, users cannot add a numeric at the end of the password in sequence. Users should try to use various password schemes as outlined in the other Password Standards.

Password History

Where technically feasible, systems must use password history techniques to maintain a password history of users. The history file must contain the last 24 passwords of users and store them in encrypted form.

Password Length

Users must create initial passwords that are a minimum of eight (8) characters in length. Where technically feasible, computer system administrators must enforce password length requirements.

Password Complexity

Users must create passwords comprised of letters, numbers, and special characters to the extent possible. Where technically feasible, computer system administrators must enforce password complexity requirements.

Password Storage

Passwords must never be stored in clear text. Therefore, users must not hard code any username/passwords in scripts or clear text files such as system shell scripts, batch jobs or word processing documents.

Password Testing

The Information Security Analyst must perform password testing on a monthly basis to ensure proper passwords are being used. This includes the use of password cracking tools on password files. The CIO must control in the strictest manner and subject to explicit supervision this process.

Account Lockout

After fifty (50) consecutive authentication failures, users must be locked out of the resource in which they are attempting to gain access to and will have to have their account manually reset. In the event that an account requires a new password, help desk personnel must leave the new password on the users' voice mail after verifying the authenticity of the user requesting the password. In the event that the account requires resetting without changing the password, the reset must only be executed after verification of the user's identity.


Last update: 9 July 2013