Differences

This shows you the differences between two versions of the page.

--- policies:password_policy [2016/07/14 21:05] – created peter
+++ policies:password_policy [2020/07/15 09:30] (current) – external edit 127.0.0.1
@@ Line 7: / Line 7: @@
   * Vetting User identity when issuing or resetting a password;
   * Account passwords must comply with the following password strength requirements:
    * Account passwords associated only with Controlled or Published Data must:
       * Be at least 6 characters in length; and
       * Be minimally composed of case sensitive letters and digits.
     * Account passwords associated only with Controlled or Published Data must not:
       * Include personal information such as your name, phone number, identify number, date of birth, or addresses; or
       * Be composed of a single word found in a dictionary
     * Account passwords associated with Confidential Data must:
       * Be at least 12 characters in length;
       * Contain letters, numbers, and special characters (for example \! @ # $ % & * ( ) - + = < >)
     * Systems hosting Confidential Data must also be able to accommodate a reasonably long password length to support the use of longer passphrases.
     * Account passwords associated with Confidential Data must not:
       * Include personal information such as your name, phone number, social security number, date of birth, or addresses;
       * Be composed of a single word found in a dictionary;
       * Re-use any of the account's last 10 passwords;
       * Contain a series of the same character; or
       * Contain the user's account name.
   * All password change procedures must include the following:
     * Authentication of the user prior to changing the password (acceptable forms of authentication include answering a series of specific questions, showing one or more forms of photo ID, etc.).
     * The new password must comply with password strength requirements associated with the data classification for the service in question.
+    * System identity credentials (security tokens, security certificates, smartcards, and other access and identification devices) must be disabled or returned to the appropriate department or entity on demand or upon termination of the relationship with the System.  Additional operating guidelines for ID cards are referenced in the System Identification Card Guidelines and the Data Encryption Guidelines.
-    * System identity credentials (security tokens, security certificates, smartcards, and other access and identification devices) must be disabled or returned to the appropriate department or entity on demand or upon termination of the relationship with the university.  Additional operating guidelines for ID cards are referenced in the System Identification Card Guidelines and the Data Encryption Guidelines.
   * Unattended computing devices must be secured from unauthorized access using a combination of physical and logical security controls commensurate with associated risks.  Physical security controls include barriers such as locked doors or security cables. Logical security controls include screen saver passwords and automatic session time-outs that are set to activate after 15-minutes of inactivity.
 For more information on creating secure "strong" passwords please see the Password Guidelines published by Information Technology Services.