Subject: Password Policy and Procedures
Group: Institutional
Approved by: President
Approval date: April 14, 2000
Effective date: April 30, 2018; April 14, 2000
Revised: February 2017
Administered by:
Director of Computing Services
 
1.    Purpose
The purpose of this policy is to protect data on University computer and information-storage systems by ensuring the creation and protection of strong passwords.

2.    Scope
This policy applies to all individuals using any University computer system or other data storage device used to store or process university information.

3.    Authority for Password Requirements
Password requirements will be set to ensure a balance between complexity and usability.  The Director of Computing Services is responsible for recommending and the Vice-President, Finance and Administration is responsible for approving password requirements.
 
4.    Password Requirements
Passwords must have a minimum length of 14 characters.
 
5.    Password Requirement Guidelines
Individuals are responsible for creating their own passwords that are compliant with the requirements set out in section 4.
The following is a guide for creating passwords:

  • a.)    Include characters other than lowercase letters in a password, such as uppercase letters, digits, and punctuation to improve the security of a password, if not used in a predictable pattern.
  • b.)    Do not use a word modified slightly with a single number added at the end or with well-known substitutions such as a zero used in place of the letter 'O'. These are easily predictable patterns.
  • c.)    Do not use the same password for University systems as is used for personal accounts or other organizations.
  • d.)    Do no use words that appear in a dictionary.
  • e.)    Do not include your name, the names of family members or pets, or other easily obtainable personal information in a password.
  • f.)    Do not use a word spelled backwards.
  • g.)    Do not use a combination of characters that someone watching could easily recognize as the password is entered.
  • h.)    When changing passwords, the new password should be different from the old one.

6.    Password Protection

  • Passwords must not be recorded on paper or online.
  • Passwords must not be recorded in a visible location in a workspace (e.g. a sticky note attached to a monitor or keyboard).
  • Passwords must not be shared with anyone.
  • Passwords must not be sent by e-mail.

7.    Other Considerations
Administrator passwords should deserve additional attention. Administrator account access should only be granted to those requiring such access to perform their work.
Administrator accounts should not be shared.

8.    Review
This policy and procedure shall be reviewed at least every three years and either amended or confirmed.