Number: 8060.S000 Revised: December 15, 2016
This policy establishes minimum standard password requirements to protect university information resources.
Passwords are used on university devices and systems to facilitate authentication, i.e., helping ensure that the person is who they say they are. The security of university data is highly dependent upon the secrecy and characteristics of such passwords. Compromised passwords can result in loss of data, denial of service for other users, or attacks directed at other Internet users from a compromised machine. Compromised passwords can also result in the inappropriate disclosure of confidential data.
To protect against these risks, CSU East Bay has adopted the following password standards.
This standard applies to all university information resources that use passwords to authenticate users. All passwords used to access CSU East Bay systems must adhere to this standard unless technically infeasible. This standard covers departmental resources as well as resources managed centrally. The term password is applied broadly and includes passphrases, digital keys, and other forms of credentials used to authenticate access to CSU East Bay systems.
Information Technology Services provides identity management services that are in compliance with these password standards and used by most CSU East Bay enterprise applications. All university systems and processes subject to this standard are encouraged to integrate with CSU East Bay identity management services, otherwise systems must implement the same password standards locally.
System administrators may choose to implement these standards with a combination of technological controls and local practice. Standards and practices adopted by a college or administrative unit must be consistent with this standard but may provide additional detail, guidelines or restrictions.
All exceptions to the above access control policies must be approved in writing by the university Information Security Officer (ISO).
(Also published at NetID)
Personally assigned university NetIDs are subject to password policy rules that help protect the account from inadvertent or malicious access. Users are strongly advised to implement a robust, hard-to-guess password to further enhance the account's security. Passwords currently adhere to the following:
In addition to the above requirements above for personally assigned Faculty & Staff NetIDs, the following requirements apply to administrator accounts used to manage campus IT infrastructure such as servers, databases, applications and network components. Where compliance is infeasible, an exception must be requested in writing to Information Security Officer (ISO).