Smith College Information Technology Services

ACCOUNT PASSWORD & SECURITY POLICY

The security of Smith College user accounts has become critically important with the increasing growth of on-line information, services and resources that rely on centrally issued accounts for authentication and authorization. It is the responsibility of both the institution and the individual user to safeguard the security and integrity of each person's identity, and guard against unauthorized access and use of their account.

The password for an individual's account is the sole key for protecting that account. It proves their identity, authorizes them to access and control important personal and institutional information, grants rights to licensed resources, and allows others to trust the identity of the person linked to their assigned user account. Therefore, the strength and privacy of that password is of paramount importance.

This policy specifies certain minimum components for a strong password, and requirements for maintaining the privacy of a user account password. As part of this policy, ITS will create and maintain information for users on recommendations and resources for password strength and management best practices.

Password Composition

The following password security parameters will be implemented as baseline requirements for Smith’s primary user authentication system.

Password parameter details:

Password expiration: none, but periodic user-initiated password changes are strongly recommended
Password history: none (password re-use is permitted)
Minimum password length: 8 characters
Maximum password length: set based on lowest maximum of supported services
Number of unique characters: 5 characters minimum
Allow consecutively repeating characters: 2 characters maximum ("eeMe" is ok, "Meee" is not)
Lower and upper case characters: at least one capital letter and one lower case letter required
Numeric digits: at least one number required
Special characters: at least one special character required (!, $, *, etc.)
Exclusions: passwords may not include the username or the full name of the person assigned to the account
Failed login attempts: account lockout after 6 failed login attempts
Failed login lockout: block further login attempts for 5 minutes

Recommendation: Although not expressly prohibited in this policy, the following characters may cause problems for some Banner services; users are urged to avoid these characters when creating a strong password:

@ & " ( ) , < > ` ; =

Password Management

Documented passwords must be stored securely (encrypted or in a locked container)
Never share your password with anyone!

Unauthorized Use

Any unauthorized acquisition or use of identity authentication or authorization credentials is specifically prohibited. Failure to comply could result in judicial board review for students, or reprimand or possible termination for employees.

Exceptions to this Policy

This policy applies to general individual user accounts only. Non-standard accounts, such as temporary conference guest accounts or special group accounts for a department or class, may have password parameter settings that differ from this policy, as best fit the particular needs of these accounts.

Select individual accounts such as administrative users who have access to classified information may be required to implement stricter password requirements than those specified in this policy.

Approved by the TSC, November 2012