Password Policy, Standards and Guidelines

You are responsible for reviewing this procedure periodically to ensure your continued compliance with all Seton Hall University Information Technology guidelines.

Audience

All users of Seton Hall Information Technology systems that require authentication in order to gain entry.

Statement

You have been granted access to Seton Hall University's Information Technology systems. In the course of performing your responsibilities as a student, faculty member, staff or contractor, the systems' access granted to you may enable you to view, input and edit confidential University information, and personally identifiable information relating to University applicants, students, parents/guardians of applicants/students, alumni, donors, employees, vendors, contractors, affiliated entities and governmental units.

To protect confidential information, the Department of Information Technology has implemented the following password expiration rules:

• Student passwords will expire 330 days after the last password change;
• Faculty passwords will expire 330 days after the last password change;
• Employee, vendor and  contractor passwords will expire 330 days after the last password change.

• University employees who process credit cards are required to change their passwords every 30 days, in accordance with the Payment Card Industry Data Security Standard (PCI DSS).

All users of Seton Hall Information Technology must abide by the following password standards and guidelines and do everything they can to safeguard their passwords.

The new password must meet the following minimum requirements

• Be at least 14 characters in length
• Contain characters from three of the following five categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (for example, !, $, #, %)
  • Unicode characters

Easy to Remember Password Methods:

• Choose a line or two from a song or poem, and use the first letter of each word. For example: 1, 2 buckle my shoe 3, 4, knock at the door becomes 12bms34katd
• Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include 33ZootBot or tAutzOt99
• Choose two short words, include numbers and concatenate them together with a punctuation character between them. For example: dog;2rain2, 3men+3mug, 8car6?goat.

Password "Don'ts"

• Do not use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
• Do not use proper names (especially not your own nor that of your significant other, mother or child). This includes all first and last names as well as geographical locations.
• Do not use your initials or those of anyone close to you.
• Do not use other information easily obtained about you. This includes your phone, social security, SHU ID, license plate, VISA credit card number, your birth date, the brand of your automobile, the name of the street you live on, etc.
• Do not attempt to be clever and make your password a derivation (reversed, as-is, shifted by a few characters, a simple substitution code, doubled, etc.) of your User Name account name or your first or last name.
• Do not use a password that is so difficult for you to remember that you will forget it if you do not write it down.
• Do not reuse any passwords that you have used previously at SHU.

Keep your Passwords Safe

• Do not give out your password to anyone including IT staff or your supervisor.
• Do not share your account with anyone or let anyone else use your account.
• Do not write down your password on paper nor store it on a computing device. (It can be a help to write down your password for a few days when you have just changed it - keep any such copy in your wallet or purse and discard it as soon as you have memorized your new password).
• Do not use your User Name password as a password for another computer system, such as your ATM card PIN number or as your password to a website on the Internet.
• Do not let anyone see you type in your password. Stop typing if you notice someone watching you. Make sure your password is not being displayed on your screen as you type.
• Do not save or store your User Name password in a dialup PPP or VPN script.
• Be wary of any program or web page that asks you for your User Name password. Secure SHU web pages that ask you for your User Name password will have URLs that begin with "https://". Your browser (e.g., IE, Firefox, Mozilla) should visually indicate (icon of a closed padlock) that you are on a secure page. If you are being prompted for your User Name password from a particular web page that you do not recognize or if the page appears different from the screen you are familiar with, contact ITS to verify the authenticity of the page.
• Do not enter your passwords when using insecure protocols (e.g. programs that transmit user account and password information unencrypted) over unsafe networks.
• Configure your e-mail software to use secure protocols (e.g., TLS/SSL for both sending and receiving e-mail)
• If you use your User Name password in an insecure manner or from an insecure location you should change your password as soon as possible.
• If your User Name password has been compromised, contact the Help Desk (ITS). The first security measure will usually recommend will be to change your password, but ISO will also want to determine how the account and password was compromised, the impact of the exposure and whether to investigate, file a complaint, or prosecute.

Definitions

Authentication - Credentials required to gain entry to an automated system, ranging from (bad to best):

• No authentication - just start
• Weak Passwords - easy to guess
• Complex Passwords - more difficult to guess
• Complex Passwords with frequent mandatory changes, depending on risk
• Biometrics - authentication techniques that rely on measurable physical characteristics that can be automatically checked. Examples include retinal scans, computer analysis of fingerprints or speech, or other physiological means of user identification for security purposes.
• Multi-Factor - Refers to any authentication protocol that requires more than one form of authentication to access a system. This contrasts with tradition password authentication, which requires only one factor (knowledge of the password) in order to gain access to a system. Three standard kinds of authentication factors are recognized: something you know (like a password or PIN), something you have (like a credit card or Cell Phone), or something you are (like a fingerprint, a retinal pattern, or other biometrics).

Complex Password - also known as a "Strong Password" - a combination of randomly chosen characters, symbols and numbers that is difficult to guess. Better than a "Simple" Password which would be easy to guess.

Confidential University Information - (including, but not limited to, University business plans and financial information)

Personally Identifying Information - (including, but not limited to, dates/places of birth, social security numbers, credit card information, maiden names, home addresses and home/personal cell phone numbers)

Unencrypted - That is, clear text that, if intercepted by an unintended recipient, could be read and understood. As versus encrypted, or "encoded", requiring a key to decode.

Unsecured - That is, not (at least) complex password protected. Passwords in Microsoft Office, for example, give a minimum level of security (but are better than nothing).

Questions concerning this or any other Information Technology Plan, Policy, Procedure, Guideline, or Statement/Form can be directed to the Department of Information Technology Service Desk at (973) 275-2222 or [email protected]

Effective Date
May 7, 2009

Financial Issues: Data breaches involving personally identifiable information are very costly to mitigate - prevention is much less expensive.