IT Password Management Policy

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of a department’s entire network.  Any device connected to the campus networks must implement authentication and authorization processes that uniquely identify all users and appropriately control access to systems.  


To establish guidelines and provide best practices for the creation of strong passwords and to determine the frequency required to change passwords.


The scope of this policy includes all faculty, staff and students who have or are responsible for an account (or any form of access that supports or requires a password) on any system connected to the campus network, has access to the campus network, or stores any non-public UMB information.


To comply with the latest version of the USM IT Security Standard requires USM institutions to implement formal controls on all institutionally owned systems that store and/or access nonpublic information. 


Follow strong password characteristics and management practices, requiring users to adhere to institutional usage, construction, and change requirements. Considering the heterogeneous computing environments at USM institutions, the following password characteristics and management practices are recommended, but are operationally dependent:  

  • Length 12-32 characters
  • Can NOT contain your UMID, First Name, or Last Name 
  • Can NOT contain the following special characters “ ‘ 
  • Password has not been used in the last 10 passwords 
  • Password has not been used in the last 20 days
  • Pass a check conducted in Azure’s AD Password Protection which detects, and blocks known weak passwords and their variants

Updated 5/29/20