8060.S000 - CSUEB Password Policy
Number: 8060.S000 Revised: December 15, 2016
This policy establishes minimum standard password requirements to protect university information resources.
Passwords are used on university devices and systems to facilitate authentication, i.e., helping ensure that the person is who they say they are. The security of university data is highly dependent upon the secrecy and characteristics of such passwords. Compromised passwords can result in loss of data, denial of service for other users, or attacks directed at other Internet users from a compromised machine. Compromised passwords can also result in the inappropriate disclosure of confidential data.
To protect against these risks, CSU East Bay has adopted the following password standards.
This standard applies to all university information resources that use passwords to authenticate users. All passwords used to access CSU East Bay systems must adhere to this standard unless technically infeasible. This standard covers departmental resources as well as resources managed centrally. The term password is applied broadly and includes passphrases, digital keys, and other forms of credentials used to authenticate access to CSU East Bay systems.
Information Technology Services provides identity management services that are in compliance with these password standards and used by most CSU East Bay enterprise applications. All university systems and processes subject to this standard are encouraged to integrate with CSU East Bay identity management services, otherwise systems must implement the same password standards locally.
System administrators may choose to implement these standards with a combination of technological controls and local practice. Standards and practices adopted by a college or administrative unit must be consistent with this standard but may provide additional detail, guidelines or restrictions.
All exceptions to the above access control policies must be approved in writing by the university Information Security Officer (ISO).
(Also published at NetID)
Personally assigned university NetIDs are subject to password policy rules that help protect the account from inadvertent or malicious access. Users are strongly advised to implement a robust, hard-to-guess password to further enhance the account's security. Passwords currently adhere to the following:
- Password Length
- Is eight (8) characters minimum for Student NetIDs
- Is ten (10) characters minimum for Faculty & Staff NetIDs
- Passwords must contain characters from four categories: English uppercase characters (A through Z), English lowercase characters (A through Z), base 10 numerical characters (0 through 9), non-alphabetic characters (for example, !, $, #, %);
- Passwords may not contain first or last name, or NetID, or any facsimile thereof (eg. Gene written as G3n3)
- Passwords are locked out for a certain duration after 10 invalid login attempts;
- Passwords have a history of 3 passwords remembered (that is, you may not re-use your past 3 passwords when changing it);
- While student passwords currently do not expire, faculty and staff passwords do expire after 180 days.
In addition to the above requirements above for personally assigned Faculty & Staff NetIDs, the following requirements apply to administrator accounts used to manage campus IT infrastructure such as servers, databases, applications and network components. Where compliance is infeasible, an exception must be requested in writing to Information Security Officer (ISO).
- Administrative passwords should be changed as frequently as is warranted based on risk, however, the maximum password age for such accounts is 180 days (bi-annually).
- Administrative passwords must be unique from other passwords used by the individual.
- Use of administrative passwords must be limited to system administration activities only.
- Administrative passwords must be changed whenever there is a change in personnel that have administrator access, including separation and reassignment events.
- Wherever possible, multi factor authentication should be utilized with administrator accounts
- Shared or common administrative passwords must be on file with the employee’s supervisor or readily accessible by the supervisor in the event of an emergency or the administrator is not available.
- Administrative passwords may be stored in a secured and encrypted electronic location with limited access.
- If an account or password is suspected to have been compromised, the incident must be reported to ISO and potentially affected passwords must be changed immediately.
- Attempts to guess a password should be limited to ten incorrect guesses. Access should then be locked for a minimum of ten minutes, unless a local system administrator intercedes.
- Failed attempts should be logged, unless such action results in the display of the failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect these logs and any irregularities such as suspected attacks should be reported to the ISO.
- Log files should never contain password information.