Purpose:
The purpose of this policy is to establish secure guidelines for password and PIN administration.
Statement:
Passwords and PINs must be properly structured, routinely changed, and kept strictly confidential.
Description:
- Each individual user must keep their passwords and PINs for all accounts secret. At no time are user IDs, passwords, or PINs to be shared with others.
- Passwords will not be displayed on screens as they are entered.
- Passwords and PINS must be changed whenever there is any indication of possible system or password compromise.
- Passwords and PINs must be encrypted when held in storage for any significant period of time or when transmitted across the network.
- Passwords and PINs must never be embedded in sign-on utilities; users must never be able to authenticate at sign-on by using a function key or running an available program.
- Passwords and PINs must have a minimum length of 8 characters, including at least on upper, one lower and one numeric. Note: Passwords which allow access to the SIS database (Colleague) cannot be any variation of the username ID.
- Passwords and PINs must be changed every 90 days.
- Initial passwords which allow access to our SIS database (Colleague) must be marked as expired, and users must be required to change the password/PIN at the first use.
- User-chosen passwords and PINs must not be reused for 10 iterations.
- Guest logins are available and issued by the help desk or a UTS administrator and be changed on a routine basis.
- Users may reset their password by visiting the Community System website and using the Reset password option.
- Users with access to the SIS database (Colleague) must contact the help desk if a manual password reset is required; this requires positive identification.
- A clear-text user ID and associated password must never be delivered in a single message and/or via the same medium.
Additional Information: See also Password Notification.
Approved By: Managers and CIO
Date of Origination: 5/8/2008
Last Reviewed: 11/26/2012