NSU Password Policy

 

Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the
protection of those passwords, and the frequency of change.  Passwords are an important aspect of computer security.  A poorly chosen password may result in unauthorized access and/or exploitation of Northeastern State University (NSU) resources.  All users, including contractors and vendors with access to NSU’s systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Scope

The scope of this policy includes any NSU account on any system that resides at any NSU campus, has access to the NSU network, or stores any nonpublic NSU information. 

Password Requirements

Passwords must be between 12 and 30 characters and 3 of the 4 following things must be used.

  • Must contain a lowercase letter

  • Must contain a uppercase letter

  • Must contain a number

  • Must contain a special character ~!#$%^&*()_+=-?><

Password Creation

  • Employees must choose unique passwords for all of their NSU accounts, and may not use a password that they are already using for a personal account. 

  • NSU users must avoid basic combinations that are easy to crack. For instance, choices like “password,” “password1” and “Pa$$w0rd” are equally bad from a security perspective.

Password Change

  • All passwords must be changed every twelve months.  An email will be sent 30 days  prior and 7 days prior to your account being disabled informing you that it is time to change your password.   

  • Some users are required to change their password every 90 days.  (i.e. those who deal with PCI or PII data).  Default is 12 months.

  • If the security of a password is in doubt– for example, if it appears that an unauthorized person has logged in to the account — the password will be reset by an administrator and the user will be required to change the password.

Password Protection

  • ITS will never ask for your password.

  • Employees may never share their passwords with anyone else in the company, including co-workers, managers, administrative assistants, etc.  Everyone will create their own password in accordance with this policy.

  • Employees may never share their passwords with any outside parties, including those claiming to be representatives of a business partner with a legitimate need to access a system.

  • Employees must take steps to avoid phishing scams and other attempts by hackers to steal passwords and other sensitive information.  ITS provides training and collaboration on how to recognize these attacks.

  • Passwords must never be written down and left in a location easily accessible or visible to others.  This includes both paper and digital formats on untagged (unsupported) devices.

  • Password managers may be used to store and remember passwords.  

Password Expiration

In order to prevent an attacker from making use of a password that may have been discovered, passwords are deemed temporary and must be changed regularly.  ITS reserves the right to reset a user’s password in the event a compromise is suspected or reported.  Passwords are required to be changed every 12 months.  If your password is not changed before the 12 month period is passed, your account will be disabled until your password has been changed.

Details

Article ID: 123188
Created
Tue 12/22/20 2:17 PM
Modified
Tue 1/5/21 8:19 AM