Information Technology Services
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of SUNYIT’s entire network and attached systems. As such, all SUNYIT users (including students, faculty, staff, guests, contractors and vendors with access to SUNYIT systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
The scope of this policy includes all students, faculty and staff who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any SUNYIT facility, has access to the SUNYIT network, or stores any non-public SUNYIT information.
4.0 Password Aging Requirement
- All system-level passwords must be changed every six months.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least annually.
- Users will be notified prior to password expiration.
5.1 Password Complexity Requirement
- All passwords must be at least eight characters in length.
- Passwords must not have been used in two previous passwords cycles.
- Passwords must not contain the individual's name or account name.
- Passwords must contain at least three of the following four character groups:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Numerals (0 through 9)
- Non-alphabetic characters (such as !, $, #, %)
5.2 General Password Construction Guidelines
Poor, weak passwords have the following characteristics:
- The password contains less than eight characters
- The password is a word found in a dictionary (English or foreign)
- The password is a common usage word such as:
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- Computer terms and names, commands, sites, companies, hardware, software.
- The words "SUNYIT” or any derivation.
- Birthdays and other personal information such as addresses and phone numbers.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
- Simple substitutions of digits for letters. Zero for “o” (oh), numeral 1 (one) for l (ell)
- Bracketing the above with “#” or “!” or similar using non-alphanumeric characters.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
5.3 Password Protection Guidelines
Here is a list of "don’ts":
- Don't reveal a password over the phone to ANYONE
- Don't reveal a password in an email message
- Don't reveal a password to the boss
- Don't talk about a password in front of others
- Don't hint at the format of a password (e.g., "my family name")
- Don't reveal a password on questionnaires or security forms
- Don't share a password with family members
- Don't reveal a password to co-workers
- Don’t use the same password for SUNYIT accounts as for other non-SUNYIT access (e.g., personal ISP account, personal email accounts, etc.).
- All passwords are to be treated as sensitive, Confidential SUNYIT information.
- Don’t use the "Remember Password" feature of applications (e.g., Eudora, OutLook, Netscape Messenger).
- Don’t write passwords down and store them anywhere in your office.
- Don’t store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
- If an account or password is suspected to have been compromised, report the incident to SUNYIT Helpdesk staff and change all passwords.
- Any user found to have violated this policy will be required to immediately change passwords.
- Accounts for which required password change is not performed will be locked.
- Users will be notified in December and reminded in January of each year that passwords must be changed. Accounts will be locked on January 31 if the password is not changed.
7.0 Revision History
- Initial Policy Draft Generated – 1/13/2013 - AJB
8.0 Policy Approvals
Reviewed by SUNY Counsel’s Office 3/14/2013
Edited by Provost Durgin 3/28/2013