Password Policy and Guidelines
Approved:
Last Reviewed: 03/28/2011
Last Modified: 03/28/2011
Responsible Office: Information Technology Services
Passwords are used to control access to Santa Fe College’s information resources. A compromised password not only puts an individual’s email and files at risk, but may also expose sensitive college data and systems. All members of the college community are responsible for taking the appropriate steps to select and secure their passwords.
This document defines college password policy and outlines the guidelines and requirements for the choosing, managing and protecting strong passwords.
Password Policy
Santa Fe College will strictly enforce the use of strong passwords. Strong passwords must:
- have a minimum of 8 characters in length (12 characters is the maximum)
- include three of the following four elements – upper case letters, lower case letters, digits and punctuation
- not contain spaces
- not be shared
- not be reused
- be changed at least every 120 days
Guidelines for Selecting Strong Passwords
A common method used by attackers to break into accounts is to simply “guess” passwords by systematically trying different possibilities and using dictionary files to generate a list of possible passwords. By choosing passwords that are easy to remember but hard for an attacker to guess, you will significantly improve the security of your computer and data.
When selecting passwords, keep the following guidelines in mind:
Choose a password that is eight characters in length
- Create passwords that contain three of the following four elements – upper case letters, lower case letters, digits and punctuation
- Do not use spaces or blanks in your password
- Avoid using dictionary words including foreign language words, slang, jargon and proper names
- Avoid using passwords that are based on your name, user ID, birthdates, addresses, phone numbers, relatives’ names, or other personal information
The key to a successful password is to create a phrase that is easy for you to remember but that no one else will ever think about attributing to you. For example:
- “Only 12 more years until retirement” would be “O120myur”
- “My 7 year anniversary is November 20” would be “M7yaiN20”
For tips on selecting strong passwords that are easy to remember and to test the strength of your passwords, go to Microsoft’s strong password website.
Guidelines for Protecting Your Passwords
- All passwords are to be treated as confidential college information.
- You are responsible for the security of your passwords and accountable for any misuse if they are guessed, disclosed, or compromised.
- Do not share your passwords with anyone, including supervisors, administrative assistants, secretaries, and technology service providers.
- Do not use your Santa Fe password as a password for
non-college accounts such as eBay and Yahoo. This will limit your exposure if any of your passwords are compromised. - Do not allow anyone to look over your shoulder while you are entering your password
- Do not write passwords down or store them anywhere in your office. Do not store passwords in a file on any computer system (including PDAs or similar devices) without using strong encryption.
- If you suspect your account or password has been compromised, report the incident to ITS Help Desk and change the password immediately.
- Change your password on a regular basis. Changing your password every 90 days is a good
rule-of-thumb, and you should never go longer than 120 days before picking a new password. Do not reuse previous passwords.
Exceptions
For systems and applications that have a maximum password length less than eight characters, that maximum length should be set as the minimum accepted password length.
Login Failure Lockout
User accounts are automatically locked after 3 consecutive failed login attempts. Accounts are automatically unlocked after 30 minutes. Users can unlock their accounts before the 30 minute lockout period by access the Password Management System and selecting “Change Password” from eStaff or Web email login pages.
Changing Passwords
Employees can change their passwords through eStaff and students can change their passwords through eSantaFe.
History
04/25/2008 – Revised
08/24/2009 – Major revision
03/28/2011 - Revised
Information Technology Policies v20110328