Password Guidance

PURPOSE
The purpose of having password guidelines is to ensure a more consistent measure of security for the University’s network and the information it contains. The implementation of these guidelines will better safeguard the personal and confidential information of all individuals and organizations affiliated, associated, or employed by Bryant University. Additionally, these guidelines establish a standard for the creation of strong passwords and the protection of those passwords.

SCOPE
The scope includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system or has access to Bryant University information resources. In the case of an information system managed by a third party, the third party’s security controls shall meet or exceed this standard.

GUIDELINES
1.0 General

1.1 Passwords must not be inserted into e-mail messages or other forms of electronic communication
and should not be shared with anyone, including via e-mail or phone conversations. Passwords should never be sent in "clear text".

1.2 Passwords should not be written down or stored electronically without encryption.

1.3 Do not use the same password for Bryant accounts as for other non-Bryant access (e.g., personal
banking, social media, etc.).

1.4 Do not share Bryant passwords with anyone. All passwords are to be treated as sensitive,
confidential information.

1.5 All user-level and system-level passwords must conform to the guidelines described below.

1.6 Al lsystem-level (system administrator) passwords (e.g., root, enable, admin, application
administration accounts, etc.) should be changed every ninety (90) days. All user-level passwords (e.g., e-mail, NetID, desktop computer, etc.) should be changed every one hundred and eighty (180) days.

1.7 If an account or password is suspected of being compromised, the incident should be reported to the appropriate access administrator and the user should change the password immediately.

1.7 Minimum Length

Eight (8) characters

1.8 Composition

  • Must contain characters from three (3) of these four (4) categories, and be enforced when a password is created or changed:
    • Upper Case Letters: A through Z
    • Lower Case Letters: a through z
    • Numerals: 0 through 9
    • Non-alphanumeric characters, such as: ! @ # % $
  • The password should not contain the user's first name, middle name, last name, or username.

2.0 Self-Service Password Reset
The University utilizes a self-service password reset solution to allow users who have forgotten their password to authenticate with alternate credentials to establish their identity and update their password. When utilizing the self-service password reset solution:

  • Be certain to choose appropriate questions with answers that are not widely known or shared on social media platforms.
  • Self-service password reset answers need to be protected in the same manner as passwords themselves, as outlined above.
  • Just like passwords, self-service password reset answers should expire periodically to ensure they stay updated and relevant.
3.0 Application Development Standards
Application developers must ensure their programs contain the following security precautions. Applications:
  • Shall support authentication of individual users, not groups.
  • Shall not store passwords in clear text or in any easily reversible form.
  • Shall not transmit passwords in clear text over the network.
  • Shall provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

4.0 Enforcement
The University considers any violation of the directives outlined within this document to be an objectionable offense. Failure to comply may subject the violator to disciplinary action by the University.

5.0 Exceptions
Any exceptions to directives outlined within this document are to be reviewed and approved by the Information Security Program Committee as needed.

6.0 Enacted and Revisions
Date Enacted: 10/22/2012
Revision: 1.3
Last Reviewed: 5/20/2016
Next Review: May 2017

7.0 Standards and Reference Categories
ISO 27002: 11.3.1 – Password Use
PCI DDS 2.0: 8.5, 8.5.8