1.0 Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Clarkson’s entire network. As such, all Clarkson faculty, staff, and students (including contractors and vendors with access to Clarkson systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Clarkson facility, has access to the Clarkson network, or stores any non-public Clarkson information.

4.0 Policy

  • All student, faculty and staff, passwords must follow the requirements below:
    • Must contain at least 8 characters
    • Must contain a mix of upper-case, lower-case, and number/symbols
    • Must be different from the most-recent password (1 password history retained)
    • Must not be shared with any other user
    • Should not contain a word in any language, slang, dialect, jargon, etc.
    • Should not contain a sequence, forwards or backwards (e.g., 1234, abcd)
    • Encouraged to be changed every 365 days (1 year)
    • Must be changed when directed by the CTO, Director of Network Operations or the Manager of Network Services
  • All system-level/administrator passwords must follow all requirements for student, faculty and staff passwords, plus the requirements below:
    • Must contain at least 16 characters
    • Must be changed every 365 days (1 year)
    • Must be different from the 20 most-recent passwords (20 password histories retained)
    • Must be changed following the departure of a system administrator
  • Passwords must not be inserted into external email messages or other forms of external electronic communication.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6.0 Revision History

Draft Policy v0.1 – Apr 2003 – rporter

Draft Policy v0.2 – 18 Apr 2006 – jfiske

Draft Policy v0.3 – 28 Aug 2007 – jfiske

Approved Policy v1.0 – 07 Sept 2007 – jfiske

Draft Policy v1.1 –  23 Apr 2008 – jfiske

Approved Policy v2.0 – 4 November 2013 – jfiske