Related Policies and Additional References:
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
Assigning unique user logins and requiring password protection is one of several primary safeguards employed to restrict access to the St. Mary’s University network and the data stored within it to only authorized users. If a password is compromised, access to information systems can be obtained by unauthorized individuals, either inadvertently or maliciously. Individuals with St. Mary’s University credentials are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy in order to ensure passwords are kept confidential and are designed to be complex and difficult to breach.
Passwords are one of the primary mechanisms that protect University information systems and other resources from unauthorized use. The use of secure passwords and ensuring proper password management practices are essential in university business functions and routine account use. Passwords that are poorly chosen can easily be compromised, imposing risk to the security of university data and resources and exploitation of individual accounts. Standards for proper password creation and management reduce these risks. The St. Mary’s University Password Policy establishes the need for minimum standards for password creation and management used for university computing services, such as Gateway, Email, Canvas, and wireless access.
- All passwords are to be treated as sensitive information and should therefore never be written down or stored on-line unless secured.
- Passwords should never be shared with any other individual.
- A mandatory change of passwords is instituted on a regular basis according to the allotted days described in the expiration section of this policy. More frequent password changes are encouraged and should reflect departmental security needs. Passwords can be changed using the Password Self-Service tool located on Gateway
- Range begins on the day the password is changed and renews with each password change.
- Daily reminders will be sent to employees 15 days prior to and until the password expiration date.
- The employee account will be automatically forced to change the password on the next login attempt.
- New employees must change the password immediately upon logging into the network for the first time.
- Do not remember passwords in web browsers.
- Failure to follow these standards is a violation of the Acceptable Use Policy.
Password Complexity Requirements
- At least sixteen (16) characters.
- Not based on anything somebody else could easily guess or obtain using person-related information (e.g., names, Rattler ID, telephone numbers, dates of birth, etc.); and
- When changing the password, you must assign at least one capital letter (A-Z), one digit (0-9), one special character or symbol and must be of at least 16 characters in any order. (Never use the @ symbol in your password).
Creating Compliant Passwords
Use a Passphrase
A passphrase is similar to a password, but it is generally longer and contains a sequence of words or other text to make the passphrase more memorable. A longer passphrase that is combined with a variety of character types is exponentially harder to breach than a shorter password. However, it is important to note that passphrases that are based on commonly referenced quotes, lyrics, or other sayings are easily guessable. While passphrases should not be famous quotes or phrases, they should also be unique to you as this may make them more susceptible to compromise or password-guessing attacks.
Choose a sentence, phrase, or a series of random, disjointed, and unrelated words.
- Use a phrase that is easy to remember.
- Example: Phrase: When I was 5, I learned to ride a bike!
Use a Passphrase Code
A passphrase code can be used in conjunction with the previous method simply by substituting letters for numbers or symbols. Combining these methods will make it easy to incorporate and meet the password complexity requirements.
- Use a phrase that is easy to remember.
- Capitalize the first letter of every word.
- Substitute letters for numbers or symbols.
- Incorporate spaces or substitute with a different character.
- Example: Phrase: When I was five, I learned how to ride a bike.
- Password: WhenIwa$5,I3arn3dh0wt0rdb1k3
All users must change their passwords at fixed intervals. Some account types, such as privileged users, must adhere to more frequent password changes as defined below. However, in all cases, Information Services reserves the right to reset a user’s password in the event a compromise is suspected, reported, or confirmed. This helps prevent an attacker from making use of a password that may have been discovered or otherwise disclosed.
Privileged users consist of users with elevated access to information systems, applications, or sensitive/protected data (other than to a local device). Such users have administrator access via a shared account or to multiple systems in the University and these accounts are at a higher risk for compromise. Users/Roles that have access to substantial amounts of sensitive data while performing daily operational tasks. These positions will be identified by the Information Security Office.
- Passwords must not be reused for at least six (6) generations.
- Passwords must not be changed more than one (1) time per day.
- At least four (4) characters must be changed when new passwords are created.
- New passwords must comply with the criteria in Password Standards.
- Mandatory change of passwords is instituted every (180) days.
Service Accounts and Test Accounts
Service accounts are accounts used by a system, task, process, or integration for a specific purpose. Test accounts are accounts used on a temporary basis to imitate a role, person, or training session. Passwords for service accounts and test accounts must be securely generated in accordance with this policy, distributed securely to the account owner, and stored securely in a password manager.
- Passwords must be changed upon suspicion or confirmation of compromise.
- Passwords must be changed when an account owner leaves the institution or transfers into a new role.
- Passwords must comply with the criteria in Password Standards.
- Mandatory change of passwords is instituted every (180) days. (On Applicable Accounts)
Repeated Login Failures – Account Lock
- The account will be automatically locked after four (4) repeated login failures and no more login attempts will be allowed for 30 minutes. The Technical Support Center (210) 431-4357 can assist with resetting a password if the account is locked.
- If you suspect your account has been locked, please contact the Technical Support Center for assistance.
Reporting a Suspected Credentials Compromise
Reset your password using the Password Self-Service tool located on Gateway or TSC (Technical Support Center) immediately at (210) 431-4357.