Password Policy

Purpose

Western Michigan University significantly relies on the use of University provided credentials (Bronco NetID and password) to provide access authentication to online information technology resources such as email, institutional data, University websites, academic and personal data, cloud computing processes, and other sensitive services. In particular, passwords are the user’s 'keys' to gain access to University information and information systems. A compromise of these authentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing WMU IT resources are bound by the requirements as described in this policy, to create and secure their password(s).

Scope

This policy applies to all WMU IT systems and resources that require password authentication. All system administrators and users of University IT resources are responsible for implementing and maintaining the requirements outlined in this document. Policies and/or standards adopted by a college or administrative unit must be consistent with this policy, but may provide supplemental controls, guidelines, and further restrictions.

This policy also applies to certain non-WMU IT systems accounts, such as cloud computing applications, that provide access to sensitive University information and information systems where the exposure may have significant impact on University operations. Do not use the same password for WMU accounts as for other non-WMU access, such as, online banking, personal ISP accounts, Facebook, MySpace, Twitter, or other social network accounts. This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with WMU user account authentication systems (Kerberos, LDAP, and Active Directory)

Policy statements

Individuals must have a unique identifier and password for each University account.

  • All WMU owned electronic devices that access confidential/restricted University data must have password protection enabled.
  • Passwords must be stored in irreversible encryption format whenever possible.
  • Passwords must contain at least eight (8) characters, in combination as follows:
  • At least one upper case alphabetic character.
  • At least one lower case alphabetic character.
  • At least one numeric character (1, 2, 3, etc.).
  • At least one punctuation or symbol character (@, $, #, etc.).
  • Do not use ‘ “ or blank spaces as they may not work with all University systems.
  • Passwords must be changed at least once every 365 days.
  • Administrator user accounts that have system-level privileges granted through group memberships must have unique passwords for each account(s) held by that user.
  • The Help Desk and system administrators must verify the identity of users when assigning or resetting passwords.
  • All vendor supplied default passwords must be changed prior to any application or program's implementation to a production environment.

See also Password guidelines.

Enforcement

The Office of Information Technology has the responsibility to enforce this policy through systematic means and/or departmental network administrators, IT system administrators, and system users. All WMU employees are responsible for complying with this policy. Failure to comply may result in disciplinary sanctions consistent with current collective bargaining agreements, University policies, and applicable law.

Note

This policy may be amended at any time by the chief information officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the information technology public website.

Document action

Direction/purpose: Chief information officer, per external audit report, Oct. 2010
Reviewed: Campus Information Security Committee, Nov. 2010
Reviewed and edited: Campus Information Security Committee, Dec. 2010
Reviewed: LAN managers group, Dec. 2010
Reviewed and edited:  Campus Information Security Committee, Jan. 2011
Approved:  Campus Information Security Committee, March 2011