Password

Division: 

Administration and Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Thursday, May 1, 2014

Revised Date: 

Thursday, February 19, 2015

Authority: 


Objective: 

The purpose of this policy is to establish a standard for the creation/reset of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all SF State staff, student employees and community members.


Statement: 

Purpose & Scope

Passwords are an important aspect of computer systems security. They are typically the first line of protection for user accounts. A poorly chosen password may result in a serious breach in network and systems security resulting in loss or exposure of SF State Confidential Data and system compromise.

The purpose of this Practice Directive is to establish a standard for the creation/reset of strong passwords, the protection of those passwords, and the frequency of change. The scope of this Practice Directive includes all SF State staff, student employees and community members.

Practice Directive & Appropriate Use

General

Individual Account Passwords

  • SF State authentication credentials must not be shared or disclosed to another person.
  • All SF State employees, student employees and community member passwords must be reset after a maximum of 180 days.
  • All SF State employees, student employees and community member passwords will be locked out after 8 unsuccessful attempted logons.
  • Account passwords should not be included in email messages or other forms of electronic communication unless encrypted.
  • Temporary and one-time passwords must meet complexity rules and not be predictable.
  • All passwords are Level 1 data and must be handled in accordance with our Confidential Data.
  • Users must immediately report any incident or suspected compromised password. Information on type of security incidents and where to report can be found at Reporting a Security Incident or Vulnerability page.

Guest Account Passwords

  • May only be used for pre-approved low-risk activities.
  • May be emailed.
  • Must expire within 7 days.
  • May only be used by the intended participants/users.

Privileged Account Passwords

  • Privileged account passwords must be different from non-privileged account passwords held by that user.
  • All passwords are Level 1 data and must be handled in accordance with our Confidential Data.
     

Default Account Passwords

  • Default passwords delivered from vendors must be changed before being deployed.
  • Temporary and one-time passwords must meet complexity rules and not be predictable.

SF State Password Standards

  • Must be a minimum of eight characters.
  • Must not contain the first name, last name, or account name.
  • Must contain three of the five categories:
    • Upper case characters
    • Lower case characters
    • Numbers
    • Special characters
    • Non English characters

Password Protection Standards

  • Do not use the same password for SF State accounts as for non-SF State accounts (e.g., personal email, banking, insurance, etc.).
  • Do not store passwords electronically unless encrypted. Passwords recorded on paper must be physically secured.
  • Computers should automatically lock after a maximum of 15 minutes of inactivity and require a password to unlock.
  • Privileged accounts should never be used on public machines.

Implementation

Responsibility for implementing this Practice Directive will rest with DoIT and Information Technology (IT) departments across campus. Submit any apparent violation of Password Practice Directives to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.

Non-Compliance

Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.