1.Ìý ÌýPurpose
The purpose of this policy is to establish the requirements for the proper construction, usage, handling, and maintenance of all passwords at all ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û (×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û) institutions.ÌýThese requirements ensure consistent application of security controls necessary to safeguard the information and information technology resources of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and its component institutions.Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û aligns itself with best practices from such organizations as National Institute for Standards and Technology (NIST) and Center for Internet Security (CIS).
2.Ìý ÌýScope
This policy applies to all passwords used to authenticate to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources or any information technology resource that stores non-public ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û data.
It does not apply to the following types of passwords, the requirements for each are defined elsewhere:
- Service Account Passwords - defined as passwords used by an information technology resource to contact or interface another information technology resource
- UNH Parent Portal Account Passwords
3.Ìý ÌýAudience
All ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with access to institutional information or information technology resources should be familiar with this Policy and their responsibilities for complying with the requirements it defines.
4.Ìý ÌýPolicy Statement
4.1Ìý ÌýPassword Change Frequency
4.1.1Ìý ÌýAll passwords associated with ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û accounts shall be changed annually with the following exceptions:
- System Administrator Accounts (every six months)
- All non-primary identity accounts accessed by employees with privileged access shall have passwords changed upon departure of employee.
4.1.2Ìý Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members shall be notified of the need to change their password, prior to the password’s expiration date.
4.1.3Ìý Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with expired passwords shall be restricted from accessing ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.
4.2Ìý ÌýPassword Construction
4.2.1Ìý ÌýPasswords shall:
- Be between 14 and 64 characters in length
- Be sufficiently different from previous passwords
- Contain a minimum of 5 unique characters
4.2.2Ìý ÌýPasswords shall not:
- include the user’s first, last, or preferred name, the user’s ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û username (e.g., abc1234), or the user’s ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û ID (e.g., 991122334)
- be re-used
- contain number or character sequences of 4 or more (e.g., abcd, 6789, sTuV)
- contain characters repeated 4 or more times sequentially (e.g., bbbb, 8888, TttT, &&&&)
4.2.3Ìý ÌýKnown compromised or commonly used weak passwords are disallowed.
4.3Ìý ÌýPassword Usage
4.3.1Ìý ÌýPasswords used for ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û purposes shall not be used for purposes outside of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û including, but not limited to personal banking, Amazon, Netflix, etc.
4.3.2Ìý ÌýPasswords used for accessing ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources that require local application accounts for authentication shall not be the same as the community member’s ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û password.
- Local application accounts are accounts for official university applications that do not use ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û credentialsÌý
- Examples: Salesforce, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Benefits
4.4Ìý ÌýPassword Handling
4.4.1Ìý ÌýPasswords shall:
- Be treated as sensitive, confidential information
- Not be shared with anyone, including administrative assistants or supervisors
- Not be written down or stored on-line in clear text
- Not be shared in email, chat, or other electronic communication
- Not be spoken aloud
4.4.2Ìý ÌýAdministrators of information technology resources who need to provide passwords to other administrators may use communication mechanisms for providing those passwords that are approved by Cybersecurity & Networking.
4.4.3Ìý Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members shall not use the "Remember Password" feature of web browsers to store ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û passwords.
4.4.4Ìý ÌýForgotten passwords shall be reset using ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û approved automated mechanisms.
4.4.5Ìý Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with forgotten passwords who are unable to reset their password using automated mechanisms shall provide verification of identity via the approved ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û process.
4.4.6Ìý ÌýDefault passwords on all information system components, peripherals, and Internet of Things (IoT) devices shall be changed to passwords that meet the minimum requirements outlined in this Policy prior to installation or deployment.
4.4.7Ìý ÌýMembers of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Enterprise Technology & Services (ET&S) shall never ask users to provide their password for any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û account.
4.5Ìý ÌýCompromised Passwords
4.5.1Ìý Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members who believe their password has been compromised shall notify their local Help Desk immediately.
4.5.2Ìý ÌýIf ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û has reason to believe a community member’s password has been compromised, the community member’s access may be revoked, without notification, until the community member’s identity can be verified, and their password can be reset.
4.5.3Ìý Ìý×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members with potentially compromised passwords shall provide verification of their identity and set a new password to regain access to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û information technology resources.
5.Ìý ÌýEnforcement
Failure to comply with this policy puts the University System, its component institutions, and its information and information technology resources at risk and may result in disciplinary action.ÌýDisciplinary procedures will be appropriate for the individual responsible for non-compliance (e.g., students, faculty, staff, vendors) as outlined in the relevant institutional regulations for that individual (e.g., student conduct and/or applicable personnel policies).
Non-compliant technology and/or activities may be mitigated as deemed necessary by the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û CISO and/or CIO.
Employees who are members of institutionally recognized bargaining units are covered by the disciplinary provisions set forth in the agreement for their bargaining units.
Contractors or vendors that fail to comply with this policy may be in violation of their contract with ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û and risk penalties up to contract termination.
6.Ìý Ìý·¡³æ³¦±ð±è³Ù¾±´Ç²Ô²õ
Requests for exceptions to this policy shall be submitted and approved according to the requirements provided in the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity Exception Standard.
7.Ìý ÌýRoles andÌýResponsibilities
- Application Administrators
- Ensure local application accounts, including those used to administer applications and those enabling community member access, follow all requirements defined in this policy.
- Chief Information Security Officer (CISO)
- Enforce this policy and related standards
- Review this policy annually
- Enterprise Technology & Services (ET&S)
- Send expiring password notifications to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members
- Disable accounts with expired passwords per the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Password Management Standard
- ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Community Members
- Comply with all restrictions and requirements outlined in this Policy when selecting passwords for use at ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û
- Maintain the confidentiality of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û passwords
- Use unique passwords on every account (e.g., do not use your ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û password for other accounts)
- Report all cybersecurity events or incidents to Cybersecurity & Networking.Ìý or example, a ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û password that suddenly stops working without being changed by its owner would be considered a cybersecurity event.
8.Ìý ÌýDefinitions
- Access
- Account
- Administrator
- Authentication
- Compromised Account
- Confidentiality
- Cybersecurity/Information Security
- Cybersecurity Incident
- ·¡³æ³¦±ð±è³Ù¾±´Ç²ÔÌý
- Identity
- Information
- Information Technology ResourceÌý
- Institutional Information
- Internet of Things (IoT)
- Non-Primary Identity
- Password
- Policy
- Privileged Access
- Security Control
- Standard
- ±«²õ±ð°ù²Ô²¹³¾±ðÌý
- ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Community Member
- ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û ID
CONTACT INFORMATION
For ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û community members: Questions about this Policy, requests for additional information or training, or reports of violations can be directed to ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Cybersecurity Governance, Risk, & Compliance (GRC) via this .
All other requests can be submitted here: .
Ìý