Password Policy

Scope

The purpose of this policy is to establish a standard for the creation of strong passwords and the protection of those passwords across Franklin & Marshall (F&M). At their discretion, the College Information Technology Committee reserves the right to modify this policy at any point in time.

Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available. Information about how to change the password associated with your F&M NetID is found on the account management page at password.fandm.edu. Log in and follow the directions.

Audience

This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.

Policy Maintenance

The College Information Technology Committee periodically reviews and revises this policy based upon emerging best practices. 

Policy Statement

Passwords are a critical aspect of information security; they are the front line of protection for user accounts. A poorly chosen password may result in the compromise of F&M's entire campus network. Therefore, all F&M users are responsible for taking the appropriate precautions while selecting and securing their passwords.

You must never share your login and password with anyone.

Access Control

All access to systems must be controlled by an authentication method involving a minimum of a Username/Password combination. The Username/Password combination must provide verification of the user's identity.

Initial Passwords

New users receive an alert indicating they can go to the password change system and create a password.  They will need to have a mobile phone number on record.  If they do not have a mobile phone number on record, they will need to contact the Help Desk.   In the event a user requires assistance from Help Desk staff in resetting their password, upon verifying the user’s identity, the temporary password the Help Desk provides can only be conveyed to the user in person or on the phone.  It will not be sent through email.  This temporary password will also require the user to immediately change the password upon first use.

Password Age

As of September 2009, users were required to change passwords every one hundred eighty (180) days. System administrators shall enforce this through technical means by deploying password aging on systems. Users will not use cyclical passwords. For example, users cannot add a number at the end of the password in sequence.

Password History

Where technologically feasible, systems must use password history techniques to maintain a password history of users. The history file must contain the last 24 passwords of users and store them in encrypted form.

Password Length

Users must create initial passwords that are a minimum of ten (10) characters in length. Where technically feasible, computer system administrators must enforce password length requirements.  

Password Complexity

Users must create passwords that contain characters from three of the following four categories: 

  • Uppercase characters
  • Lowercase characters
  • One or more numbers
  • Non-alphanumeric characters, for example: ~!@#$%^&*

Password Storage

For employees who do computer programming, passwords must never be stored in clear text. Therefore, users must not ‘hard code’ any username/passwords in scripts or clear text files such as system shell scripts, batch jobs or word processing documents.  

For all employees, passwords should not be stored in plain text in word processing documents or elsewhere.  For assistance managing passwords, contact the Help Desk for advice on best practices and tools available.

Locking Accounts

Users should never use their F&M username and password on other systems.  These should be unique to F&M.  However, the Chief Information Security Officer actively monitors national and international high-profile security breaches for indications that F&M users may have been impacted by a breach.  When an F&M user is identified amongst the data publicly shared on the Internet (typically by finding their F&M email address in the data files,) the CISO has the authority to immediately lock that user’s account and require that they reset their password prior to regaining access to campus systems.  

If we detect anomalous use of College NetIDs and passwords, for example data that suggest that perhaps the account has been compromised, we will automatically lock that account and require a password change.  For example, if a NetID and password are used to login to a public computer in the library in Lancaster, PA and to login to inside.fandm.edu from California in the same hour this would trigger the account being locked.

Account Lockout

After five (5) consecutive authentication failures, users are locked out of the resource to which they are attempting to gain access and will have to reset their password using the College’s self-service password change service. In the event a user requires assistance from Help Desk staff in resetting their password, upon verifying the user’s identity, the temporary password the Help Desk provides can only be conveyed to the user in person or on the phone.  It will not be sent through email.  This temporary password will also require the user to immediately change the password upon first use. 

--------

Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer

Last Reviewed: 12 September 2017