Password Management Policy:
Supporting documents: Full policy - Standard - Process
The University must develop, implement, and regularly review a formal, documented process for appropriately creating, changing and safeguarding passwords used to validate a user’s identity and establish access to its information systems and data. All University workforce members and students must be regularly trained and reminded about this process.
At a minimum, the University’s password management processes must:
- Require the use of individual passwords to maintain accountability.
- Where appropriate, allow workforce members to select and change their own passwords.
- Require unique passwords that meet the standards defined by the University.
- Require regular password changes.
- Not display passwords in clear text when they are being input into an application.
- Require the storage of passwords in an encrypted form .
- Require passwords to be given to users in a secure manner.
- Require the changing of default vendor passwords following installation of software or hardware.
- Require temporary passwords to be randomly generated and force password change at first logon when possible.
The University’s password management training and awareness must involve requirements for use of information systems including, but not limited to:
- The importance of keeping passwords confidential and not sharing them with anyone.
- The need to avoid maintaining a paper record of passwords, unless the record can be stored securely.
- Changing passwords whenever there is any indication of possible information system or password compromise.
- The University’s password standards.
- The importance of not using the same password for personal and business accounts.
- The importance of changing passwords at regular intervals and avoiding re-using old passwords.
- Changing temporary passwords at the first log-on.
- Not including passwords in any automated log-on process (e.g. stored in a web browser, macro or function key).
- Ensuring that University workforce members and students understand all activities involving their user identification and password will be attributed to them.