Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of resources. All users are responsible for taking the appropriate steps outlined below, to select and secure their passwords.

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of password changes.

This policy applies to all users of computing resources owned or managed by University of Northwestern – St. Paul (UNW). Individuals covered by the policy include (but are not limited to) UNW faculty and visiting faculty, staff, students, alumni, guests or agents of the administration, contractors, external individuals and organizations accessing network services via UNW’s computing facilities. This policy does not pertain to non-UNW systems/services or personal accounts. It also does not apply to passwords supplied by vendors.

Computing resources include all university owned, licensed, or managed hardware and software and use of the university network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

These policies apply to technology administered in individual departments, the resources administered by central administrative departments (such as the University Library and Information Technology), personally owned computers and devices connected by wire or wireless to the campus network, and to off-campus computers that connect remotely to UNW's network services.

1.1 Password Creation

1.1.1 All user-level passwords must conform to the Password Construction Guidelines (4.5)

1.1.2 Users must not use the same password for UNW accounts as for other non-UNW access (for example, personal email, bank, ISP account, option trading, benefits, and so on).

1.1.3 Where possible, users should not reuse one password in multiple systems when unique passwords can be used.

1.2 Password Change

1.2.1 - All system-level passwords must be changed on a yearly basis, where possible.

1.2.2 - All user-level passwords must be changed at least every 183 days.

1.2.3 - Password cracking or guessing may be performed on a periodic or random basis by IT or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with the Password Requirement Guidelines.

1.3 Password Protection

1.3.1 - Passwords must not be shared with anyone. Do not share passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members. All passwords are to be treated as sensitive, confidential information.

1.3.2 - Passwords must not be inserted into email messages. Please contact IT for recommendations on transmitting sensitive information. 

1.3.3 - Passwords must not be revealed over the phone to anyone. During the manual password reset process, IT may communicate a temporary password over the phone that must be changed by the user immediately after.

1.3.4 - Do not reveal a password on questionnaires or forms.

1.3.5 - Do not hint at the format of a password (for example, "my family name").

1.3.6 - Do not write passwords down nor store them anywhere in your office or alongside the system they access.

1.3.7 - Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption. Please contact IT for password management tool recommendations.

1.3.8 - Do not use the "Remember Password" feature of applications (for example, web browsers). Doing so puts your security at risk.

1.3.9 - Any user suspecting that his/her password may have been compromised must immediately report the incident to IT and change all passwords wherever it was used.

1.4.0 - IT staff will never ask for your UNW password nor will any service be rendered using an individual's UNW password that is written down.

1.4 Application Development

Application developers must ensure that their programs contain the following security precautions:

1.4.1 - Applications must support authentication of individual users, not groups.

1.4.2 - Applications must not store passwords in clear text or in any easily reversible form.

1.4.3 - Applications must not transmit passwords in clear text over the network.

1.4.4 - Applications must provide for some sort of role management so that a user can take over the functions of another without having to know the other's password.

1.5 Password Construction Guidelines

1.5.1 - Passwords must be at least 14 characters in length

1.5.2 - Passwords must contain characters from three of the following categories:

o Uppercase letters

o Lowercase letters

o Base 10 digits (0 through 9)

o Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

1.5.3 - Cannot match your last 24 passwords

1.5.4 - Poor, or weak, passwords have the following characteristics:

o Contain less than fourteen characters.

o Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.

o Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.

o Contain work-related information such as building names, system commands, sites, companies, hardware, or software.

o Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.

o Contain common words spelled backward, preceded, followed by a number (for example, terces, secret1, 1secret, or some version of “Welcome123,” “Password123,” or “Changeme123”)

1.6 Account Lockout

1.6.1 - In order to limit attempts at guessing passwords or compromising accounts, an account lockout policy is in effect for all systems. Accounts will lock for 15 minutes after 3 failed password attempts in 5 minutes.

The Chief Information Officer is responsible for enforcing this policy and is authorized to set specific password creation and management standards for UNW systems and accounts.