Information Technology and Telecommunications Services
Password Requirements and Guidelines
Password Requirements
- Introduction
- Password Aging for Faculty and Staff
- Password Aging for Students
- Choosing Passwords
- What if I forget my Password?
Password Security Guidelines
- Why is Password Security so important?
- How are Passwords Stolen?
- What are the Guidelines for a Strong Password?
- What other ways can I secure the information on my computer?
- Tips on Choosing a Right Password
- How will these guidelines protect the campus data?
- How will enforcing a password requirement help the overall security off our data?
Self-Service Password Management System
Password Requirements
Introduction
Fayetteville State University has an enormous amount of sensitive information stored on various network servers throughout campus. In order to protect our data it is important that we have a strong/complete security policy in effect. Passwords are an extremely important aspect of that security policy. They are the front line of protection for user accounts; it has been proven that computer hackers are able to guess or gather passwords to accounts, which can enable them to compromise most systems.
In order to protect our system, we require that passwords change every 90 days days. The idea behind password aging is that a password is less likely to be compromised if it is changed regularly, or that the exposure from such a compromise will be reduced, and that a user who stops using a service will have their password automatically expire if they do not otherwise intervene.
Password Security Guidelines
Password Aging for Faculty and Staff
- You must change your passwords every 90 days.
- Ignoring expiration notifications will result in account lockouts.
- Accounts locked out for 60 days or more will be disabled.
Password Aging Students
- You must change your passwords every 90 days.
- Ignoring expiration notifications will result in account lockouts.
- Accounts locked out for 60 days or more will be disabled.
Choosing Passwords
- Passwords must contain at least seven (7)characters.
- The password must contain at least one of each:
- upper case letter
- lowercase letter
- number
- special character (~,!,#,%,^,&,*)
- you CANNOT use the at sign (@) or the dollar sign ($)
- Passwords may not contain the username, first name or last name.
- Passwords should not include well known names or identification numbers.
- Birthdays or Social Security numbers must not be used.
- Passwords may not include common words from an English dictionary or foreign-language dictionary.
- Passwords may not contain commonly used proper names, including the name of any fictional character or place.
- Your password cannot be reset to any of the previously used 10 passwords.
- Passwords are case sensitive, so "password" is not the same as "PASSWORD".
Password Protection Guidelines
- Do not share passwords except in emergency circumstances or when there is an overriding operational necessity.
- Change your password immediately after sharing.
- Do not leave passwords in a location accessible to others or secured in a location for which protection is less than that required for information that the password protects.
- Do not send your password or any other sensitive information via email.
- If you suspect your password has been stolen or compromised, change it immediately!
- Do not write your password down and post it in a unsecured area such as your computer’s monitor.
What If I forget My Password?
In order to accurately identify users without using their social security numbers, a Self-Service Password Management System is being created which will use questions and answers that will allow users to reset or change their password. It is imperative that all current faculty and staff enroll in the password management system in order to use the system to manage their passwords. New faculty and staff will be enrolled upon initial account creation.
Password Security
Why is password security so important?
Passwords are the virtual keys to the FSU networking system. Passwords give you access not only to all the files and information on your computer (data files, email, network drives, etc.), but also to student and financial information.
Passwords have become so common, so much a part of our daily lives, we treat them with casual indifference. As a result, we too often forego security for convenience. We come up with weak passwords that are easy to guess. We store passwords unprotected on our desktops. We write them down and tape them to our computer screens. If you password is stolen, you will not be the only one affected. Identity theft has become an epidemic and we all need to take measures to protect ourselves and our students.
How are passwords stolen?
Other than the obvious (a written down password or a password that has been entrusted to someone you know), hackers use cracking programs that can launch dictionaries to try and match your passwords in mere seconds.
Weak passwords will be quickly guessed while strong passwords may never be guessed:
| Passwords | Time to Hack |
| 4 character lower or upper case letters | a few seconds |
| 4 character lower and upper case letters | a few seconds |
| 4 character lower and upper case and number | a few seconds |
| 5 character lower or upper case letters (e.g passb) | under 60 seconds |
| 5 character lower & upper case letters (e.g passB) | approx 6 minutes |
| 5 character lower & upper case and number (e.g Pasb1) | approx 15 minutes |
| 8 character lower or upper case | approx 58 hours |
| 8 character lower & upper case | approx 21 months |
| 8 character lower & upper case and number | approx 7 years |
| 10 character lower or upper case | approx 5 years |
| 10 character lower & upper case | approx 4648 years |
| 10 character lower & upper case and number | approx 26984 years |
What are the guidelines for strong passwords?
- Use at least seven characters; the more characters, the better (as long as you can remember them).
- Make your password easy for you to remember but hard for someone else to guess.
- Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.
- Always use a mixture of upper- and lower-case characters.
- Never write down your password; someone else might see it.
- Select a unique password. Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system.
What other ways can I secure the information on my computer?
One of the biggest mistakes people do is to leave their desktops unattended without logging off first. Anyone can then walk up to your desktop and access information.
- Log off or lock your desktop (Keyboard short cut – Windows key + L )
- Log off Banner systems when you are done
Tips on Choosing a Strong Password
Some systems have programs that check the password selected and can disallow a poor choice, but not all systems have this capability. To avoid problems, follow these basic guidelines when choosing your password:
- Use at least seven characters; the more characters, the better (as long as you can remember them). Some systems (including most Unix systems) allow you to use up to 63 characters, so you can be creative.
- Make your password easy for you to remember but hard for someone else to guess. Picking letters from a phrase that's meaningful to you may be the source for a good password. In this way, your password is really a "pass phrase." ("Do you know the way to San Jose?" could be D!Y!KtwTSJ?)
- Intersperse punctuation marks or symbols such as #, $, %, etc. Do not use a blank space.
- Always use a mixture of upper- and lower-case characters.
- Never write down your password; someone else might see it.
- Select a unique password. Do not use a password that you are using for some other purpose, such as your PIN at the bank or your password to another system.
What Are Some Strategies for Choosing a Good Password?
Use lines from a childhood verse:
Verse Line: Yankee Doodle went to town
Password: YDwto#town
Expressions inspired by the name of a city:
City Expression: I love Paris in the springtime
Password: 1LpinST (replace the letter L with the number 1)
Note: Obviously, you shouldn't use any of the passwords used as examples in this document. Treat these examples as guidelines only.
How will enforcing a password requirement help the overall security off our data?
Because all of the following can be accessed with your username and password:
- Blackboard
- Domain Logon
- Citrix
- VPN
- iNside FSU
- Campus Desktop logon
Any comprise of your password could possibly affect sensitive information in all of the systems mentioned above. If you suspect that your password has been compromised in any way, change it immediately.
Self-Service Password Management System
All faculty, staff, and students must enroll in the password management system in order to change and retrieve forgotten passwords. For security reasons, you will no longer be allowed to call the help desk to reset your password. If you haven't enroll in the system and need help with your password, you will need to come in person to the help desk with a valid FSU ID.