Password Management Policy

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of a department’s entire network.  

Any device connected to the campus networks must implement authentication and authorization processes that uniquely identify all users and appropriately control access to systems.  

Purpose

To establish guidelines and provide best practices for the creation of strong passwords and to determine the frequency required to change passwords.

Scope

The scope of this policy includes all faculty, staff and students who have or are responsible for an account (or any form of access that supports or requires a password) on any system connected to the campus network, has access to the campus network, or stores any non-public UMB information.

Responsibilities

To comply with Section IV, Item 2, Section B, Access Controls Standards of the USM Guidelines in Response to the State IT Security Policy (Version 3.0) which requires USM institutions to implement formal controls on all institutionally owned systems that store and/or access nonpublic information. 

Compliance

Follow strong password characteristics and management practices, requiring users to adhere to institutional usage, construction, and change requirements. Considering the heterogeneous computing environments at USM institutions, the following password characteristics and management practices are recommended, but are operationally dependent:

  • The user must select and/or change initial passwords, unless those passwords are randomly generated.
  • Passwords must contain a minimum of nine characters.
  • When a user password is reset or redistributed, the identity of the user must be validated.
  • The password must not be the same as the user ID.
  • Passwords must not be stored in clear text.
  • Passwords must never be displayed on the screen.
  • Initial passwords and password resets distributed to the user must be issued pre-expired (unless randomly generated), forcing the user to change the password upon logon.
  • Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all numbers, all special characters, or all alphabetic characters.
  • Passwords must not contain leading or trailing blanks.
  • Password reuse must be prohibited by not allowing the last 10 passwords to be reused with a minimum password age of at least two days.
  • Automated controls must ensure that passwords are changed at least as frequently as every 90 days for high-privilege users and every 365 days for general users.
  • User IDs associated with a password must be disabled for a period of time after not more than six consecutive failed login attempts, while allowing a minimum of a 10-minute automatic reset of the account, for critical administrative systems containing confidential information.
  • When a user password is reset or redistributed, the validation of the user identity must be at least as strong as when originally established.
  • Expired passwords must be changed before any other system activity is allowed.