WMU > OIT > Rules & Policies

Revised: 05/2008

Password Management Guidelines

Purpose

Passwords are used to controll access to Western Michigan University systems, networks, applications, accounts, and data. A compromised password not only puts a user's e-mail and files at risk, but may also expose sensitive University data and systems. All members of the University community are responsible for taking the appropriate steps to select and secure their passwords. This policy document outlines the requirements and guidelines for the choosing, managing, and protecting strong passwords at Western Michigan University.

Background

Having a login and password on any Western Michigan University computing system gives you access to a number of services which may include access to e-mail, student personal information, University-maintained programs and applications, access to personal and institutional Web sites, access to University institutional financial data, and access to high-speed Internet. A compromised password may lead to destructive activities such as: stealing University student academic and/or financial data, sending large batches of unsolicited e-mail (commonly referred to as spam), illegally distributing pirated software, pornography, theft of intellectual property, stolen login/passwords, or disrupting computer and network operations both at Western Michigan University and at other sites. Preventing these events is everyone's responsibility.

Scope

This policy applies to all account based information technology systems and processes that utilize WMU resources. All system administrators and users of University information technology resources are responsible for the implementation of these standards. Policies and/or standards adopted by a college or administrative unit must be consistent with this policy, but may provide supplemental controls, guidelines, and restrictions.

Policy

Individuals must have a unique identifier and password on all accounts

• Passwords must be stored in irreversible encryption format whenever possible.
• Passwords must contain at least six (6) characters in combination as follows:
  • At least one alphabetic character (mixed upper and lower case)
  • At least one numeric character (1, 2, 3, 4, 5 ...)
  • At least one punctuation or symbol character (@, $, :, # ...)
  • Passwords must be changed at least once every 120 days.
  • Administrator user accounts that have system-level privileges granted through group memberships must have unique passwords for all accounts held by that user.
  • System administrators must verify the identity of users when assigning or resetting passwords.
  • System administrators should enforce "automatic lock out rules" after five unsuccessful login attempts, when possible.
  • All vendor supplied default passwords must be changed prior to any application or program's implementation to a production environment.

Enforcement

The Office of Information Technology has the responsibility to enforce this policy through systematic means and/or departmental network administrators, OIT system administrators, and system users. All Western Michigan University employees are responsible for complying with this policy. Any employee or authorized personnel found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment.

Summary

This policy is designed to secure the information resources of Western Michigan University. This document may be subject to modification at any time to ensure the protection of University information assets. Questions and/or comments may be directed to the University Security Administrator.

General Password Construction Guidelines

Passwords are used for various purposes. Some of the more common uses include: user accounts, Web account, e-mail accounts, screen saver protection, voicemail passwords, and remote access logins. Since very few systems have support for one-time tokens (dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.

• Use random, pronounceable syllables to make up words that are easy to remember.
• Use acronyms for unusual phases that you invent (e.g. WCMPE120D for "why change my password every 120 days").
• Do not select a password that is a common usage word such as "Western", "Bronco".
• Do not use computer terms, names, commands, sites, or company's software titles.
• Do not use word or number patterns like abcdefg, qazxsw, 12345678.
• Do not use your account name as your password.
• Do not base your password on any items of personal information such as your name, social security number, birthday, pet names, family member.

Protecting Your Password

Do not use the same password for Western Michigan University accounts as for non- Western Michigan University accounts (i.e. personal ISP accounts, brokerage accounts, benefit accounts, etc.). Remember if one account password is compromised, all accounts may be compromised. Do not share your University password(s) with anyone, including administrative assistants, supervisors, secretaries, or co-workers. All passwords are to be treated as sensitive, confidential Western Michigan University information.

Here is a list of don'ts:

• Don't reveal your password over the phone to anyone, including your computer support personnel. Support personnel should never initiate a call requesting a password.
• Don't talk about your password around others.
• Don't reveal a password on questionnaires.
• Don't share your password with co-workers while on vacation.
• Don't use the "Remember Password" feature on applications (e.g. Netscape Messenger, Outlook, Outlook Express, Eudora, etc.).
• Don't write passwords down or store them anywhere near your computer.
• Don't store passwords in a file on any computer system (including PDA's or similar devices) without using strong encryption.

If you suspect your account or password has been compromised, report the event to your college or department technical support personnel or the University Security Administrator, and change your password immediately.

If someone demands your password, refer him or her to this document, or have him or her contact your college or department technical support personnel or the University Security Administrator.