Password Protection Policy

1. Purpose

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of Connecticut College's resources. The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

2. Scope

The scope of this policy includes all faculty, students, staff, contractors and affiliates who have or are responsible for an account or any form of access that requires a password on any system that resides at Connecticut College, has access to the College network, or stores any nonpublic College information.

3. Definitions and Authority

“Basic account and system access” allows access to the college network, email, Self­Service Banner (SSB), CamelWeb, and Moodle.

“College Affiliate” or “Contractor” is someone officially attached or connected to the College who is not a student or employee (e.g., contractors, vendors, interns, temporary staffing, volunteers.)

4. Policy

All Connecticut College data network users, including contractors and affiliates with access to the College systems, are responsible for following College “Password Requirements,” as outlined below, to select, secure and change their passwords.

5. Password Requirements:

5.1 Password Creation

5.1.1 The password cannot contain all or part of your user account name or login id.

5.1.2 Users must not use the same password for Connecticut College accounts as for other non­College access (for example, personal ISP account, personal email account, benefits, and so on).

5.1.3 The password must be at least eight (8) characters in length.

5.1.4 The password must contain characters from three of the following categories:

    •  English uppercase characters (A through Z)
    •  English lower­case characters (a through z)
    •  Numbers (0 through9)
    •  Non­alphabetic characters (for example, !, $, #, %)

5.1.5 The following are examples of passwords that follow the necessary criteria. Do not use these examples.

    •  &Ez2do, Suce$$ful, 2S!ncere, Etc&etc,

5.2 Password Change

5.2.1 Passwords must be changed every 180 days.

5.2.2 All system­level passwords (for example, root, enable, NT admin, application administration accounts, and so on) must be changed on at least a quarterly basis.

5.2.3 The three previous passwords cannot be used.

5.2.4 The password cannot be changed again until a period of 24 hrs has passed.

5.3 Password Protection

5.3.1 Passwords must not be shared with anyone. All passwords are to be treated as sensitive and confidential information.

5.3.2 Passwords must not be inserted into email messages or other forms of electronic communication.

5.3.3 Passwords must not be revealed over the phone to anyone.

5.3.4 Do not reveal a password on questionnaires or security forms.

5.3.5 Do not hint at the format of a password (for example, "my family name").

5.3.6 Do not share passwords with anyone, including administrative assistants, secretaries, managers, co­workers while on vacation, and family members.

5.3.7 Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.

5.3.8 Do not use the "Remember Password" feature of applications (for example, web browsers).

5.3.9 Any user suspecting that his/her password may have been compromised must report the incident to the IT Service Desk and change all passwords.

5.4 Password Reset

5.4.1 If a password is forgotten it can be reset by correctly answering two security questions. The question and answer pair is established by the user when creating their account.

5.5 Application Development

Application developers must ensure that their programs contain the following security precautions:

5.5.1 Applications must support authentication of individual users, not groups.

5.5.2 Applications must not store passwords in clear text or in any easily reversible form.

5.5.3 Applications must not transmit passwords in clear text over the network.

5.5.4 Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

6. Policy Compliance

6.1 Compliance Measurement The Information Security team will verify compliance to this policy through various methods, including but not limited to, periodic walk­thrus, business tool reports, internal and external audits, and feedback to the Information Security Office.

6.2 Exceptions Any exception to the policy must be approved by the Chief Information Security Officer, in consultation with the Information Security Office, in advance.

6.3 Non­Compliance The protection of passwords in ways that are not consistent with the main purposes of the College, or that interfere with the work of other members of the College community, may be revoked, following the usual disciplinary processes of the College for students, faculty, and staff. For all others, the Vice President of Information Services, may revoke accounts for those who are neither employed nor enrolled in the College.