The purpose of this policy is to establish a standard for the creation/reset of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all SF State staff, student employees and community members.
Purpose & Scope
Passwords are an important aspect of computer systems security. They are typically the first line of protection for user accounts. A poorly chosen password may result in a serious breach in network and systems security resulting in loss or exposure of SF State Confidential Data and system compromise.
The purpose of this Practice Directive is to establish a standard for the creation/reset of strong passwords, the protection of those passwords, and the frequency of change. The scope of this Practice Directive includes all SF State staff, student employees and community members.
Practice Directive & Appropriate Use
Individual Account Passwords
- SF State authentication credentials must not be shared or disclosed to another person.
- All SF State employees, student employees and community member passwords must be reset after a maximum of 180 days.
- Account passwords should not be included in email messages or other forms of electronic communication unless encrypted.
- Temporary and one-time passwords must meet complexity rules and not be predictable.
- All passwords are Level 1 data and must be handled in accordance with our Confidential Data.
Users must immediately report any incident or suspected compromised password. Information on type of security incidents and where to report can be found at Reporting a Security Incident or Vulnerability page.
Guest Account Passwords
- May only be used for pre-approved low-risk activities.
- May be emailed.
- Must expire within 7 days.
May only be used by the intended participants/users.
Privileged Account Passwords
- Privileged account passwords must be different from non-privileged account passwords held by that user.
All passwords are Level 1 data and must be handled in accordance with our Confidential Data.
Default Account Passwords
- Default passwords delivered from vendors must be changed before being deployed.
SF State Password Standards
- Must be a minimum of twelve characters.
- Must not contain the first name, last name, or account name.
- Must not be the same as the last 24 passwords used.
Must contain three of the five categories:
- Upper case characters
- Lower case characters
- Special characters
- Non English characters
Password Protection Standards
- Do not use the same password for SF State accounts as for non-SF State accounts (e.g., personal email, banking, insurance, etc.).
- Do not store passwords electronically unless encrypted. Passwords recorded on paper must be physically secured.
- Computers should automatically lock after a maximum of 15 minutes of inactivity and require a password to unlock.
- Privileged accounts should never be used on public machines.
Responsibility for implementing this Practice Directive will rest with Information Technology Services (ITS) and Information Technology (IT) departments across campus. Submit any apparent violation of Password Practice Directives to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to firstname.lastname@example.org.
Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.