XXI. Password Policy

I. Purpose

To establish policies and guidelines for the selection and use of passwords used to access Metropolitan State College of Denver's computing resources.

II. Scope

These policies apply to everyone having access to Metropolitan State College of Denver computing resources including, but not limited to, Metro Connect, Email, Windows, Macintosh, and UNIX services, BANNER, remote access, and systems administration and network administration.

III. Summary

Persons accessing password protected computing resources at Metropolitan State College of Denver are required to use strong passwords that are difficult to guess or crack. Passwords must be changed at least once every 120 days.

IV. Introduction

For passwords to be an effective security control, they must be chosen, stored, and managed appropriately. Poorly chosen passwords can be easily guessed  or cracked and then used by someone who is not authorized to have access to the computing resource. Likewise, passwords that are inappropriately stored could be discovered and misused by unauthorized persons.

V. Policy Statements

  1. On computing systems that use passwords as an authentication mechanism, every computer account must have a non-blank password.
  2. All user and system passwords are to comply with the requirements listed in the Requirements section below.
  3. Passwords must be changed:
    1. Immediately upon first logon.
    2. At least every 120 days. Passwords which have not been changed within 120
      days are subject to being systematically expired.
    3. When there is reason to believe the password has been compromised.
    4. For accounts with access to administrative computing resources, immediately
      upon departure of personnel having access to those accounts.
  4. Passwords are not be posted on, under, or around a computer or in the work place.
  5. Persons using Metro State computing equipment are not to make use of the “Remember my password” or “Automatic login” options that are provided by some application programs and web browsers.
  6. Passwords are to be kept secret. Passwords are not to be shared with coworkers, family, friends, IT, or other people. No one in the Division of Information Technology, including the Help Desk, needs to know your password and should never ask you for your password.
  7. The use of password guessing, password cracking or keystroke logging software is prohibited without a court order or the written authorization of the College's legal counsel and at least one other member of the President's Cabinet. Any such activity is to be fully documented. Any data gathered by such activity is to remain confidential and is to be protected from unauthorized disclosure, use, or modification.

VI. Requirements

  1. The following requirements describe the creation of strong passwords:
    1. A password must be at least eight (8) characters in length. A password may be longer than eight characters.
    2. A name or a word from the dictionary may not be used as a password. Two or more unrelated words may be combined.
    3. A password must contain a mixture of upper and lower case letters, and numbers or punctuation marks. A password must contain:
      1. Two or more upper case letter from the alphabet (A-Z).
      2. Two or more lower case letter from the alphabet (a-z).
      3. Two or more decimal digits (0-9) or punctuation marks, or a decimal digit
        and a punctuation mark.
    4. A password must not contain a simple pattern or sequence of numbers or characters, such as “xyz123”.
    5. A password must not contain a person's student id/employee id number, social security number, date of birth, telephone number, or any other information that could be easily guessed or discovered about the individual.
    6. An old password must not be reused for at least 1 year from the date it was changed.
    7. A new password must have at least three (3) or more characters which differ from the previous password.
  2. Passwords used to access Metro State computing resources are not to be used to access non-Metro State computing resources.

VII. Roles and Responsibilities

Everyone who is authorized access to Metro State password protected computing resources is responsible for complying with these policies and guidelines.

Supervisors are responsible for instructing their employees regarding these policies.

System Administrators/Database Administrators will configure their systems to enforce as many of the above password requirements as possible. When a system lacks the ability to enforce one or more of the most significant password requirements, these deficiencies will be documented and communicated to the Security Coordinator.

Computer systems will be configured to log all failed login attempts. The log entry should include the date, time, and username attempting to login, and the source IP address from which the login attempt was made.

Computer systems will be configured to disable an account for some indefinite period of time upon 5 successive failed login attempts to the account. A log entry should be recorded anytime an account is so disabled.

VIII. Exceptions

Under rare and specific circumstances, it may be necessary to petition the VP of Information Technology for a waiver of a portion of the password policy. The request for a waiver must be made in writing and must include a compelling business justification for the waiver, document what portion of the policy the waiver is for, who the waiver is for, how long the waiver will last, and how any risks introduced by the waiver will be managed. Granting a waiver of the password policy is not automatic. A petition for a waiver could be denied simply because of technical or security reasons.

IX. Reporting Violations

Any suspected violations of these policies, or unauthorized access to computing resources, or any other condition which could compromise the security of the college’s computing resources must be reported to the Division of Information Technology Security and Disaster Recovery Coordinator, http://www.mscd.edu/infotech/security/, 1-877-35AskIT (1-877-352-7548).

X. Remedies for Non-Compliance

Failure to comply with these policies may result in one or more of the following actions:

  1. suspension of access to the network for the individual,
  2. when appropriate, disciplinary action ranging from warning to termination
    and (for students) expulsion from the College, depending on circumstances, in
    accordance with applicable policies and procedures,
  3. when appropriate, initiation of civil or criminal proceedings.

XI. Authority

The Office of the President grants authority to the Vice President of Information Technology to oversee compliance with this policy.

Questions regarding this policy, or requests for variances from the policy,
should be directed to the Vice President of Information Technology at (303)
556-2441.

Approved September 11, 2006

Revised: August 2008