Password Policy

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and exploitation of Barry University's resources. All users, including employees, students, contractors and vendors with access to Barry University systems, are responsible for taking the appropriate steps as outlined in this policy to select and protect their passwords. 

PURPOSE

The goal of this policy is to define the University protocols for the creation, protection and use of passwords for all systems owned, managed by, or under the responsibility of Barry University.

SCOPE

This policy applies to anyone who has been provided access credentials to systems owned, managed by, or under the responsibility of Barry University.

DEFINITIONS

Sensitive Information: Any data (electronic or physical), for which the compromise of confidentiality, integrity, and availability could have a material adverse effect on Barry University's interests, the conduct of University programs or the privacy to which individuals are entitled. Examples include: Personal Information and Protected Health Information as defined below; any data protected by the Florida Information Protection Act (FIPA), Family Education Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA) or other laws governing the use of data; or data that the University determines is in need of protective measures.

Access or Login Credentials: Information presented by a user to an authentication authority for identification and login access to previously authorized resource(s). Access or login credentials are usually comprised of a User ID (username) and a Password, although other methods like certificates, biometric information, security questions and multifactor authentication are being used more widely.

Information Security Office (ISO): The division of the University responsible for overseeing information security and acting as the point of contact for violations (inadvertent or deliberate) or issues: iso@barry.edu

Simple Network Management Protocol (SNMP): Protocol used to manage and monitor network devices like servers, switches, routers, firewalls, etc.

Password: A sequence of characters used to authenticate a person’s identity. Passphrases, passcodes and personal identification numbers (PIN) serve the same purpose as a password.

Privileged account: A privileged account is an account with a high level of access to a system, and is typically used by a systems administrator to log into servers, switches, firewalls, routers, database servers, and the many applications they manage.

User level account: Accounts assigned to users to provide them with access to University resources such as email, private websites, hosted administrative systems, etc.

Service account: An account used by systems rather than by users. These accounts are usually under the responsibility of systems administrators and are used to run automated processes like scheduled tasks, deployments, monitoring, running services on computers and servers, etc. If these accounts also have high levels of access to resources, they are also considered Privileged Accounts.

POLICY

It is the responsibility of all users to act appropriately at all times in safeguarding credentials under their control or responsibility and following the guidelines and recommendations outlined in this policy.

  1. Password Construction
    Passwords shall adhere to the following instructions on password construction:

    1. Acceptable (strong) passwords shall include ALL these characteristics:
      • Contain at least eight alphanumeric characters.
      • Contain both upper and lower case letters.
      • Include at least one number (for example, 0-9). Page 3 of 5 Information Security Policy · Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:";'<>?,/).

    2. The restrictions below apply to password construction. Passwords SHALL NOT contain:
      • Sequences of three or more characters from your Barry username or email address
      • Number patterns such as aaabbb, qwerty, zyxwvuts, or 123321. · Common words spelled backward.
      • Password examples defined on the support site, (e.g. Welcome!23)

  2. Password Change Frequency and Password Reuse
    Passwords shall be modified periodically, as this limits the damage an attacker can do should an account be compromised, as well as helps to frustrate brute force attempts.

    • All user-level account passwords (e.g. email, web resources and logging into a desktop computer) shall be changed at least every 180 days.
    • All privileged user-level account passwords (e.g. domain admin accounts, accounts used to reset passwords, Office 365 administrators) shall be changed at least every 120 day
    • All privileged device and system account passwords (e.g. root, administrator, local administrator, etc.) shall be changed at least every 360 days.
    • All service account (e.g. accounts used in systems such as syncing with Office365) passwords shall be changed at least every 360 days.
    • The previous ten passwords shall not be used
    • Minimum password age shall be one day (the amount of time between password changes).

  3. Password Protection

    • Accounts will be locked out after five consecutive failed login attempts within an hour.
    • Accounts locked out due to failed login attempts will be unlocked after 5 minutes.
    • Default passwords for systems, network devices or infrastructure equipment (e.g. switches, phones, routers, servers, printers, cameras, etc.) shall be changed BEFORE connecting the system to Barry University’s network. System passwords must comply with the password guidelines described in this document even if they are only turned on for short periods for testing or demonstration (e.g., proof of concept or sales presentation). System passwords include but are not limited to SNMP Community Strings, Shared Secrets, root/admin accounts for devices, etc. ·
    • Any user suspecting his/her password may have been compromised shall change it immediately and report the incident with detailed information to the Information Security Office (iso@barry.edu). 
    • Users shall always verify the resource into which they are logging in to ensure it is legitimate and approved, especially when directed to resources received through email, text messages and browsing the Internet. If unsure, the individual shall contact the IT Support Desk.
    • Passwords shall not be written down -- even if requested on questionnaires or security forms in paper or electronic form. Page 4 of 5 Information Security Policy
    • User passwords shall not be transmitted via email, text or any other digital forms. If there is a unique situation requiring credentials be sent to another party, it must be encrypted using one of the approved methods by the Information Security Office. In such cases, the password shall be sent alone. Accompanying information, such as the username associated with it, shall be transmitted in a separate and different channel of communication. Automated information sent to users from the Division of Information Technology regarding their account creation is exempt from this requirement.
    • Passwords must not be stored in an electronic format (e.g. on a computer or mobile device) without file level encryption that has been approved by the Information Security Office being applied.
    • Personnel in charge of managing credentials should follow secure procedures to verify the identity of the user before providing them with a new or temporary password, or any other sensitive information.
    • Individuals are required to establish challenge questions, and answers for use in self-service password resets.
    • User passwords shall not be shared with nor revealed to ANYONE, including Division of Information Technology staff, supervisors, subordinates, co-workers, guests and family members. There is one exception to this rule which involves the resetting of users’ passwords and/or security challenge questions and answers by designated Division of Information Technology staff with privileged system access. This is only allowed when warranted by circumstances such as user request, or suspicion of malicious account activity.

  4. Additional Recommendations

    • Individuals shall consider using passphrases, such as a song title, affirmation, or another phrase, since they are relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Secure passphrases shall follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters (for example, TheTrafficOnI95WasB@dThisMorning!).
    • Passwords for Barry University accounts shall be different from passwords used for personal accounts (e.g. personal email, personal bank accounts, etc.).
    • Where possible, users shall not use the same password for various Barry University access needs.
    • Your Barry ID number shall not be included in your password.
    • Personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters shall not be included in your password.
    • Work-related information such as building names, system commands, sites, companies, hardware, or software shall not be included in your password.
    • Individuals should not save passwords when prompted to save them by the web browser.

ENFORCEMENT

Violations of this policy may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment.

EXCEPTIONS

Any exceptions to this policy shall be approved in advance by the Information Security Office.

Back to Table of Contents