IT Password Management Policy

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of a department’s entire network.  Any device connected to the campus networks must implement authentication and authorization processes that uniquely identify all users and appropriately control access to systems.  


To establish guidelines and provide best practices for the creation of strong passwords and to determine the frequency required to change passwords.


The scope of this policy includes all faculty, staff and students who have or are responsible for an account (or any form of access that supports or requires a password) on any system connected to the campus network, has access to the campus network, or stores any non-public UMB information.


To comply with Section IV, Item 2, Section B, Access Controls Standards of the USM Guidelines in Response to the State IT Security Policy which requires USM institutions to implement formal controls on all institutionally owned systems that store and/or access nonpublic information. 


Follow strong password characteristics and management practices, requiring users to adhere to institutional usage, construction, and change requirements. Considering the heterogeneous computing environments at USM institutions, the following password characteristics and management practices are recommended, but are operationally dependent:

  • The user must select and/or change initial passwords, unless those passwords are randomly generated
  • Passwords must contain a minimum of eight characters
  • When a user password is reset or redistributed, the identity of the user must be validated
  • The password must not be the same at the user ID
  • Passwords must not be stored in clear text
  • Passwords must never be displayed on the screen
  • Initial passwords and password resets distributed to the user must be issued pre-expired (unless randomly generated), forcing the user to change the password upon logon
  • Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all numbers, all special characters, or all alphabetic characters
  • Passwords must not contain leading or trailing blanks
  • Automated controls must ensure that passwords are changed at least as frequently as every 90 days for high-privilege users and every 180 days for general users
  • User IDs associated with a password must be disabled for a period of time after not more than six consecutive failed login attempts, while allowing a minimum of a 10-minute automatic reset of the account, for critical administrative systems containing nonpublic information
  • When a user password is reset or redistributed, the validation of the user identity must be at least as strong as when originally established

Updated 5/1/13