Computing Password Policy

Updated 2/5/2016

View this policy as a printable PDF

Purpose

Given that passwords are the most frequently utilized form of authentication for accessing a computing resource, the purpose of this policy is to establish the guidelines for the creation of strong passwords, protection of passwords and frequency of password changes.  These guidelines should maximize the security of a password and minimize its misuse and theft.

Scope

This policy applies to anyone accessing or utilizing Massachusetts Maritime Academy’s (MMA) information technology resources or data.  This policy also pertains to computer systems accessing the internal Massachusetts Maritime Academy network from a remote location.

Policy

Password Construction

In general, a password's strength will increase with length, complexity and frequency of changes. All passwords (e.g., email, web, desktop computer, etc.) should be strong passwords and follow the standards listed below:

All passwords must meet the following minimum standards, except where technically infeasible:

  • Be at least 8 characters in length;
  • Contains at least 3 of the following:  uppercase letter, lowercase letter, digits 0-9, special character ( !@#$%^&*);
  • Cannot match the last 8 passwords used.

Password parameters shall be set to the following values:

  • Password aging = 180 days
  • Lockout duration = 30 minutes or manually reset
  • Lockout attempts = 5 failed attempts
  • Minimum password age = 3 days

To help prevent identity theft, personal information such as Social Security numbers or credit card numbers must never be used as a password.   Passwords should not consist of the following: obvious dictionary words, easily recognized language phrases, dates (especially family birthdays and anniversaries), telephone numbers, postal codes, and car registration numbers.

Password Protection

  • All passwords are to be treated as sensitive information and should never be written down or stored on-line unless adequately secured.
  • Individual passwords should not be shared with anyone.  Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords.
  • One-time use passwords may be communicated via email messages or other forms of electronic communication in order to expedite the receipt of this information to its intended owner.
  • Passwords that could be used to access sensitive information must be encrypted in transit.
  • If a password is suspected to have been compromised, it should be changed immediately and the incident reported to the MMA Helpdesk.

Password Maintenance

  • Users may reset or unlock a password at any time via self-service password reset program, the MMA Helpdesk or at an Academy-owned PC.   
  • Notifications of a pending password reset will begin 14 days prior to the password expiring.  The notifications are sent via email and will be displayed on an Academy-owned PC that is logged into by the end user. 

Administrator-level Passwords

In addition to the password standards listed above, the following standards apply administrator-level passwords, except where technically and/or administratively infeasible:

  • Administrator Passwords must be changed as IT personnel changes occur.
  • If an administrator password is suspected to have been compromised, the incident must be reported to the MMA Helpdesk and potentially affected passwords must be changed immediately.
  • Failed login attempts should be logged, unless such action results in the display of the failed password.  It is recommended that these logs be retained for a minimum of 30 days.
  • System log files should never contain passwords or any information that would expose a password.

Enforcement

Any employee found to have violated this policy, intentionally or unintentionally, may be subject to the loss of computing system access and/or disciplinary action, up to and including termination of employment.

Responsibility

Under the direction of the Vice President of Technology and Library Services, the TLS Directors are responsible for coordinating and establishing procedures and practices which are necessary for compliance with this policy.

This policy is owned by the Vice President of Technology and Library Services, who will coordinate any and all revisions.

References

Framework Regulations and Requirements Supporting Standards and Procedures
SANS Top 20 Controls PCI DSS - MA 201 - HIPAA  
 CSC 12-3, CSC 12-8, CSCS 12-14, CSC 16-8, CSC 16-9    

 

REVISION HISTORY

This section contains comments on any revisions that were made to this document and the date they were made.

Version Number Issued Date Changes Made By Description of Changes
1.0 1/27/2016    Initial policy
2.0 2/5/2016 Anne Marie Fallon Additions made to policy