Executive Council

Authorizes Release:

Vice President for Administration and Finance

Responsible Area:

Information Services

Review Cycle:

Annually or as required

Last Review:

October 2019

Related Policies and Additional References:


Passwords are one of the primary mechanisms that protect University information systems and other resources from unauthorized use. The use of secure passwords and ensuring proper password management practices are essential in University business functions and routine account use. Passwords that are poorly chosen can easily be compromised imposing risk to the security of University data and resources and exploitation of individual accounts. Standards for proper password creation and management greatly reduce these risks. The St. Mary’s University Employee Password Policy establishes the need for minimum standards for password creation and management used for University computing services; such as Gateway, Email, Canvas, and wireless access.

Password Standards

  • A mandatory change of passwords is instituted on a regular basis at minimum every 180 days. More frequent password changes are encouraged and should reflect departmental security needs. Passwords can be changed using the Password Self-Service tool located on the main Gateway login page.
  • The 180 day begins on the day the password is changed and renews with each password change.
  • Daily reminders will be sent to employees 15 days prior to and until the password expiration date
  • The employee account will be automatically disabled (not deleted) if the password is not changed by the expiration date.
  • A notification email will be sent to the employee whenever the password is changed.
  • New employees are advised to change their initial password immediately.

Strengthen the Password

  • Do not use any word that may be found in any English or foreign dictionary as your password.
  • When changing the password, employees must assign at least one capital letter (A-Z), one digit (0-9), one special character or symbol and must be of at least 10 characters in any order. (Never use the @ symbol in your password)
  • For example, a password may look like: C0nnectPro!9; additionally, the use of a passphrase can increase the strength of authentication credentials.

Repeated Login Failures – Account Lock

  • The account will be automatically locked after eight (8) repeated login failures and no more login attempts will be allowed for 30 minutes. The Technical Support Center (210) 431-4357 can assist with resetting a password if the account is locked.
  • A notification will be shown on the login screen indicating the account is locked due to repeated failed login attempts.
Back to top