Passwords are an important aspect of computer systems security. AU provides credentials for users to gain access authentication to University’s online information technology resources such as email, institutional data, University websites, academic data, cloud computing processes, and other sensitive services. Passwords are typically the first line of protection for user accounts. A poorly chosen password may result in a serious breach in network and systems security resulting in
- Loss or exposure of potentially sensitive data
- System compromise
- Compromise of other network systems
This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing AU IT resources are bound by the requirements as described in this policy for the creation of strong passwords, the protection of those passwords, and the frequency of change.
This policy applies to all AU IT systems and resources that require password authentication. All system administrators and users of University IT resources are responsible for implementing and maintaining the requirements outlined in this document.
This policy also applies to certain non-AU IT systems accounts, such as cloud computing applications, that provide access to sensitive University information and information systems where the exposure may have significant impact on University operations. Do not use the same password for AU accounts as for other non-AU access, such as, online banking, personal ISP accounts, Facebook, MySpace, Twitter, or other social network accounts. This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with AU user account authentication systems (Kerberos, LDAP, and Active Directory)
Users must note that all system authentication credentials assigned to them are for their own personal use. Authentication credentials must not be shared or disclosed to any third party other than authorised system support personnel. It will be a breach of this policy for any user to misuse their or other users authentication credentials. If any such misuse results in a user knowingly elevating their system privileges above those that they have been authorised to use then this will be considered an act of gross misconduct.
Individuals must have a unique identifier and password for each University account.
- All AU owned electronic devices that access confidential/restricted University data must have password protection enabled.
- Passwords must be stored in irreversible encryption format whenever possible.
- Passwords must contain at least eight (8) characters, in combination as follows:
- At least one upper case alphabetic character.
- At least one lower case alphabetic character.
- At least one numeric character (1, 2, 3, etc.).
- At least one punctuation or symbol character (@, $, #, etc.).
- Do not use ‘ “ or blank spaces as they may not work with all University systems.
- Passwords must be changed at least once every 5 days.
- Administrator user accounts that have system-level privileges granted through group memberships must have unique passwords for each account(s) held by that user.
- The Help Desk and system administrators must verify the identity of users when assigning or resetting passwords.
- All vendor supplied default passwords must be changed prior to any application or program's implementation to a production environment.
- Password guidelines
Passwords prevent other people from reading your email, accessing your network files, changing your Web pages, or sending messages from your account. These guidelines will assist you in creating a more secure password that is less susceptible to being broken.
Passwords should not be
- May not contain any part of your name or username.
- May not use single words found in the dictionary.
- May not contain spaces.
- Must contain three (3) or more of the following:
- At least one upper-case alphabetic character.
- At least one lower-case alphabetic character.
- At least one numeric digit (e.g. 1, 2, 3…)
- At least one punctuation or symbol character (e.g. ^, $, #)
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- A word in any language, slang, dialect, jargon, etc.
- Computer terms and names, commands, sites, companies, hardware, software, etc.
- Personal information such as birthdays, addresses, phone numbers, etc.
- Words or number patterns like aaabbb, 123321, etc.
- Don't reveal passwords over the phone to anyone.
- Don't reveal passwords in an email message.
- Don't talk about passwords in front of others.
- Don't reveal passwords on questionnaires or security forms.
- Don't share passwords with anyone, including family members.
- Don't reveal passwords to co-workers while on vacation or leave.
- Don't write passwords down and store them anywhere in your office.
- Don't store passwords in a file on any computer system including smart phones, PDAs, or similar devices, unless that file is encrypted.
- Don't use the same password for AU accounts as for other non-AU access.
The ICTS office of the University has the responsibility to enforce this policy through systematic means and/or departmental network administrators, IT system administrators, and system users. All AU employees are responsible for complying with this policy. Failure to comply may result in disciplinary action.
This policy may be amended at any time by the ICTS office of AU University consistent with current University policies and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the information technology public website.
Interim Policy Effective Date: January, 2014
Last Reviewed: January, 2014