Skip to main content

[DEMO] Password Policy

Introduction and Purpose

Passwords are one of the most important aspects of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of ACG resources. All users who have access to ACG systems and services are responsible for taking appropriate steps to select and secure their passwords.

The purpose of this policy is to establish standards for:

  • Creation of strong passwords
  • Protection of passwords
  • Frequency of password changes
  • Use of additional protection methods such as Multi-Factor Authentication (MFA)

The scope of this policy includes all individuals who have, or are responsible for, an account or any form of access that requires a password on any system that:

  • Resides physically or logically at any ACG facility
  • Has access to the ACG network
  • Stores any non-public ACG information

Technological resources are provided by the College to support its primary role of education, research, and associated functions.

The College complies with all applicable legal responsibilities, including Data Protection, Electronic Communication, and Intellectual Property legislation.

Responsible College Office and Officer

The Office of Information Resources Management (IRM) and its InfoSec Operations Team are responsible for:

  • Maintaining this policy
  • Responding to questions regarding this policy

Who Is Governed by This Policy

This policy applies to all individuals granted access to ACG technological resources, including but not limited to:

  • Faculty
  • Staff
  • Students
  • Alumni
  • Contractors
  • Interns
  • Volunteers
  • Individuals authorized by affiliated institutions or organizations

Use of any ACG technological resource signifies acceptance of this policy.

Definitions

Computer Network

Two or more computers that can share information, typically connected by cable, data line, or satellite link.

SNMP (Simple Network Management Protocol)

A protocol used for collecting information from and configuring network devices such as servers, printers, switches, and routers on an IP network.

Dictionary Attack

An attempt to defeat an authentication mechanism by systematically trying dictionary words as passwords.

Technological Resources

Include, but are not limited to: computers, terminals, software, printers, networks, telecommunication equipment, telephones, voicemail, television and radio systems, computer information systems, data files, documents, multimedia-equipped classrooms, laboratories, offices, residencies, and computer furnishings operated or maintained by ACG.

Users

Faculty, staff, students, and others authorized to use ACG technological resources, including contractors, interns, and volunteers.

MFA (Multi-Factor Authentication)

An authentication method requiring two or more verification factors to gain access, reducing the likelihood of a successful cyber attack.

Procedures

Passwords may be changed only by the respective user.

Passwords may not be changed over the phone or supplied via email unless adequate verification is provided.

Users who lose access to their account must contact the IT Department in person for a password reset.

I. Password Creation Policy

  • All user-level and system-level passwords must comply with the Password Construction Guidelines.
  • Users must not use the same password for ACG accounts and non-ACG services (e.g. personal email, banking).
  • Where possible, users must not reuse the same password across multiple ACG systems.
  • Accounts with system-level privileges (e.g. sudo, administrator access) must use a unique password.
  • SNMP community strings must not use default values and must differ from login passwords while meeting password construction guidelines.

II. Password Change

  • System-level passwords must be changed at least every three months.
  • User-level passwords must be changed at least every six months (recommended every three months).
  • Previously used passwords must not be reused unless four months have passed or at least two other passwords have been used.
  • Password cracking or guessing may be conducted periodically by the IT Team or its delegates.
  • If a password is compromised, the user must change it immediately.
  • Password policies will be system-enforced where applicable.

III. Password Protection

  • Passwords must never be shared.
  • Passwords must be treated as confidential ACG information.
  • Passwords must not be sent via email or other electronic communication.
  • Passwords must not be disclosed over the phone.
  • Passwords must not be revealed on questionnaires or forms.
  • Users must not hint at password formats.
  • Passwords must not be shared with colleagues, assistants, managers, family members, or anyone else.
  • Passwords must not be written down or stored without encryption.
  • Passwords must not be stored on computers or mobile devices without encryption.
  • The “Remember Password” feature must not be used.
  • Any suspected compromise must be reported immediately and all passwords changed.

Users are accountable for all actions performed using their passwords.

IT administrators and College officials will never ask for user passwords.

MFA Requirements

  • MFA is strongly recommended for all users.
  • MFA is mandatory for all faculty and staff email accounts.
  • MFA is mandatory for network and VPN access for staff with decision authority.
  • The IT Department will provide guidance and notifications regarding MFA compliance.

IV. Application Development Activities

Applications developed for use at ACG must:

  • Authenticate individual users, not groups.
  • Authenticate through the ACG domain.
  • Never store passwords in clear text or reversible form.
  • Never transmit passwords in clear text.
  • Support role management without requiring knowledge of another user’s password.

Related articles