Belmont University

Computer and Network Passwords Guidelines and Policy

Guidelines

General Password  Guidelines
Passwords are used for various purposes at the University. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins.  As a rule passwords are the responsibility of the end-user and must be managed by the end-user. When an employee leaves the university all computer and network passwords must be changed  on the effective leave day unless approved by a Vice-president in writing.

Poor or weak passwords have the following characteristics:

  • The password contains fewer than six characters
  • The password is a word found in a dictionary (English or foreign)
  • The password is a common usage word such as:
    • Names of family, pets, friends, co-workers, fantasy characters, etc.
    • Computer terms and names, commands, sites, companies, hardware, software.
    • Organization, place or event names like "Drexel”, “Philly", "SuperBowl" or any derivation.
    • Birthdays and other personal information such as addresses and phone numbers.
    • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
    • Any of the above spelled backwards.
    • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
    • Passwords must not be inserted into email messages or other forms of electronic communication

Strong passwords have the following characteristics:

  • Contain both upper and lower case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
    • Passwords for Banner and WebFinancials must begin with a letter and cannot contain these characters: $ ! & ” or ‘
  • Are at least seven alphanumeric characters long.
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.

Passwords should never be written down or stored on-line. End Users should try to create passwords that can be easily remembered. For example, an End User can create a password based on a song title, affirmation, or other phrase, e.g. the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use any of these examples as passwords!

 Password Protection Standards
End Users should not use the same password for University accounts as for other non-College access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, End Users should not use the same password for various College access needs. Also, End Users should select separate passwords for a Windows domain account, a network account, an Oracle account, and an ISP account.

End Users must not share university  passwords with anyone, including administrative assistants, secretaries,  assistants, or the user services support staff. All passwords are to be treated as sensitive, confidential university  information.

Here is a list of "dont's":

  • Don't reveal a password over the phone to ANYONE
  • Don't reveal a password in an email message
  • Don't reveal a password to the boss
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms
  • Don't share a password with family members
  • Don't reveal a password to co-workers while on vacation
  • Don’t reuse passwords in the course of one year
  • When changing a password, don’t derive it from a previous password (eg. TmB1w2R!-1 becomes 1TmB1w2R!-2)

If someone demands a password, the End User should refer him to this Plan.

End Users should not use the "Remember Password" feature of applications (e.g., Internet Explorer, Outlook, etc).

End Users should not write down passwords or store them anywhere in their offices. End Users should not store, without encryption, passwords in a file on ANY Computer System, including PDAs.

End Users must change their passwords at least once every nine weeks (except system-level passwords which must be changed every 90 days).  The recommended change interval is every month or two.

When an End Users suspects that his account or password has been compromised, he must report the incident to ITS and change all of his passwords.

ITS may, on a periodic or routine basis, test the security of End User passwords. If ITS determines that password is weak, the End User will be required to change it.