Approver(s):

Executive Council

Authorizes Release:

Vice President for Information Services

Responsible Area:

Information Services

Review Cycle:

Annually or as required

Last Review:

July 2024

Related Policies and Additional References:

Summary

Passwords serve as a fundamental defense mechanism for safeguarding University information systems and other valuable resources against unauthorized use. Constructing secure passwords and diligent password management is imperative for maintaining the integrity of our digital environment. Inadequate password practices can lead to the unauthorized dissemination of information and expose the security of university resources.

Poorly constructed passwords are susceptible to compromise, posing a risk to the confidentiality and accessibility of sensitive data. Establishing and adhering to standards for proper password creation and management significantly mitigates these risks, reinforcing the overall security posture of the University’s information systems and resources

Purpose

The purpose of this policy is to set a standard for the creation of robust passwords, their secure protection, and the frequency of change. By establishing clear guidelines in these areas, the policy seeks to enhance the overall security posture of the university information systems. Adherence to these standards is essential in fortifying the defenses against unauthorized access and safeguarding sensitive data.

Scope

Assigning unique user logins and enforcing password protection serves as a foundational measure to control access to the St. Mary’s University network and the associated data. This policy ensures that only authorized users have the privilege of accessing information systems. In the event of a compromised password, there is a risk of unauthorized individuals gaining access to sensitive information, whether inadvertently or maliciously.

Individuals holding St. Mary’s University credentials bear the responsibility of preventing unauthorized access to their accounts. Therefore, strict adherence to this policy is essential to guarantee the confidentiality and resilience of passwords against breaches. By conforming to these guidelines, users actively contribute to maintaining the security integrity of the university’s information systems.

Policy Statement

Passwords are an important aspect of computer and network security. They are the front line of protection for user accounts safeguarding University information systems and other resources against unauthorized access. It is crucial to prioritize the use of secure passwords and adhere to proper password management practices in both university business functions and routine account use. Poorly chosen passwords pose a significant risk, potentially compromising the security of university data and resources, and enabling the exploitation of individual accounts. Adhering to established standards for password creation and management is imperative to mitigate these risks.

The St. Mary’s University Password Policy outlines minimum standards for password creation and management, applicable to university computing services such as Gateway, Email, Canvas, and wireless access.

Password Standards

  • Protection of Passwords: All passwords must be treated as sensitive information and should never be written down or stored online unless securely protected.
  • Confidentiality of Passwords: Passwords are strictly confidential and should never be shared with any other individual.
  • Mandatory Password Changes:
    • Regular mandatory password changes are enforced according to the specified expiration period in this policy.
    • More frequent password changes are encouraged to align with departmental security needs.
    • Password changes can be facilitated using the Password Self-Service tool available at Gateway.
  • Password Change Cycle: The password change cycle begins on the day the password is changed and renews with each subsequent change.
  • Reminders and Expiration:
    • Daily reminders will appear when accessing Gateway 15 days prior to and until the password expiration date.
    • The user’s account will be automatically prompted to change the password at the next login attempt upon expiration.
  • New Employee Password Requirement: New employees must change the password immediately upon logging into the network for the first time.
  • Use a different password for each online account: It is crucial to use a different password for each of your online accounts. This practice adds an extra layer of security, mitigating the possibility of unauthorized access to your personal and professional information. Prioritizing unique passwords for each account significantly strengthens the security of your digital identity.
  • Browser Security: Avoid saving passwords in web browsers to enhance overall security measures. Consider using a password manager to generate and store passwords.

Failure to follow these standards is a violation of the Acceptable Use Policy.

Password Complexity Requirements

  • Length: Passwords must be a minimum of sixteen (16) characters.
  • Avoidance of Personal Information: Passwords should not be based on easily guessable or obtainable person-related information, such as names, Rattler ID, telephone numbers, dates of birth, etc.
  • Password Change Requirements: When changing the password, ensure it includes at least one capital letter (A-Z), one digit (0-9), and one special character or symbol. The password must be at least 16 characters long, and the elements can appear in any order. (Note: The use of the ‘@’ symbol in passwords is prohibited.)

Creating Compliant Passwords

Use a Passphrase

A passphrase is similar to a password, is typically longer and consists of a sequence of words or other text to enhance memorability. A longer passphrase, when combined with a variety of character types, becomes exponentially more challenging to breach compared to a shorter password. It’s crucial to highlight that passphrases based on commonly referenced quotes, lyrics, or sayings are easily guessable. While passphrases should not be derived from famous quotes or phrases, they should also be unique to you, as this uniqueness may increase their resistance to compromise or password-guessing attacks.

Choose a sentence, phrase, or a series of random, disjointed, and unrelated words.

  • Use a phrase that is easy to remember.
    • Example: Phrase: When I was 5, I learned to ride a bike!

Use a Passphrase Code

A passphrase code can be used in conjunction with the previous method simply by substituting letters for numbers or symbols. Combining these methods will make it easy to incorporate meeting the password complexity requirements.

  • Use a phrase that is easy to remember.
  • Capitalize the first letter of every word.
  • Substitute letters for numbers or symbols.
  • Incorporate spaces or substitute with a different character.
    • Example: Phrase: When I was five, I learned how to ride a bike.
    • Password: WhenIwa$5,iL3arn3dh0wt0rdb1k3.

Password Expiration

All users are required to change their passwords at fixed intervals. Certain account types, including privileged users, must undergo more frequent password changes, as specified below. Nevertheless, Information Services retains the authority to reset a user’s password if there is suspicion, report, or confirmation of compromise. This measure is taken to prevent attackers from exploiting a potentially compromised password.

Standard Users

Standard users consist of faculty, staff, and students that are not privileged users.

  • Password Change due to Compromise: Passwords must be changed upon suspicion or confirmation of compromise.
  • Compliance with Standards: New passwords must adhere to the criteria outlined in the Password Standards.
  • Mandatory Change Interval: Passwords must be changed every three hundred and sixty-five (365) days.

Privileged Users

Privileged users are individuals with elevated access to information systems, applications, or sensitive/protected data (other than to a local device). These users typically have administrator access through a shared account or to multiple University systems, posing a higher risk of compromise. The identification of these roles will be managed by the Information Security Office.

  • Password Reuse: Passwords should not be reused for at least six (6) generations.
  • Daily Change Limit: Passwords should not be changed more than once (1) per day.
  • Character Change Requirement: At least four (4) characters must be modified when creating new passwords.
  • Compliance with Standards: New passwords must adhere to the criteria outlined in the Password Standards.
  • Mandatory Change Interval: Passwords must be changed every one hundred and eighty (180) days.

Service Accounts and Test Accounts

Service accounts are accounts used by a system, task, process, or integration for a specific purpose. Test accounts are accounts used on a temporary basis to imitate a role, person, or training session. Passwords for service accounts and test accounts must be securely generated in accordance with this policy, distributed securely to the account owner, and stored securely in a password manager.

  • Password Change due to Compromise: Passwords must be changed upon suspicion or confirmation of compromise.
  • Password Change on Account Owner Change: Passwords must be changed when an account owner leaves the institution or transfers into a new role.
  • Compliance with Standards: Passwords must adhere to the criteria outlined in the Password Standards.
  • Mandatory Change Interval: Passwords must be changed every one hundred and eighty (180) days, applicable to relevant accounts.

Repeated Login Failures – Account Lock

  • Account Locking Policy: The account will automatically be locked after eight (8) repeated login failures, and no further login attempts will be allowed for 30 minutes. For password resets when the account is locked, contact the Technical Support Center at (210) 431-4357.
  • User Notification: If you suspect your account has been locked, please contact the Technical Support Center for assistance.

Reporting a Suspected Credentials Compromise

Password Reset Options: Reset your password using the Password Self-Service tool located in Gateway or contact the Technical Support Center (TSC) immediately at (210) 431-4357.

Definitions

  • Account Locking: A security measure that prevents further login attempts after a specified number of failed login attempts.
  • Compromise: The unauthorized access, disclosure, or alteration of sensitive information or resources.
  • Credentials Compromise: Suspected or confirmed unauthorized access to or disclosure of user account credentials.
  • Confidentiality: The principle of protecting sensitive information from unauthorized disclosure to maintain privacy and security.
  • Integrity: The assurance that data remains accurate, consistent, and reliable throughout its lifecycle, safeguarding against unauthorized modification or tampering.
  • Privileged Users: Individuals with elevated access rights and permissions to sensitive university information systems and data.
  • Service Accounts: Accounts used by automated processes or systems for specific functions or tasks.
Back to top