Skip navigation

Password Policy IT and Library Services

Document Reference Number

UoG/ILS/IS  007

Date

September  2016

Title

Password Policy

Author

Information Security and Compliance Manager

Owning Department

Information and Library Services

Version

5.0

Approval Date

September 6, 2016

Review Date

September 6, 2017

Approving Body

Information Assurance and Security Committee

1.0 Introduction

1.1 Passwords are broadly used to authenticate users to access IT resources, and to provide the front line of defence against unauthorised access.  Good password management will minimise the likelihood of user accounts being easily compromised, and mitigate risks to University information and IT systems.

1.2 All activities carried out on University IT systems using an individual's username and password can only be traced to the individual, and these activities are logged and audit trails can be generated to analyse them.  Furthermore, generic usernames and passwords make it arduous to trace an activity to an individual due to the login information being used by various people.  Consequently it is important that passwords are not shared. Sharing of passwords may result in an individual being held responsible for someone else's actions.

2.0 Purpose

2.1 The purpose of this policy is to a set the standard for creating strong passwords and keeping them safe.

3.0 Scope

3.1 This policy applies to all individuals with University user accounts. This includes standard user accounts (used for day to day work, such as accessing emails, network drives and other IT resources.) and privileged accounts (used for managing IT systems).

4.0 ISO 27001 Reference

4.1 Clauses A5, A9

5.0 Principles

5.1 All passwords must be treated as confidential information and should not be shared with anyone or made public in any form – verbal or written.

5.2 Same passwords must not be used for multiple University IT systems where users have the option to set their own passwords.

5.3 Where a specific group of users require access to a particular system, they must be provided with their unique login details to that system.

5.4 Privileged account users must have user accounts and passwords different from their standard user accounts.

5.5 University applications must not store passwords in clear text or in any easily reversible form, and passwords must not be transmitted in clear text over the network.

5.6 University login details must not be used for non-University systems or applications e.g. on social media websites, retail websites, personal email and cloud services.

5.7 Passwords must be changed every four months (approximately 120 days) or immediately if a user account has been compromised.

6.0 Password Requirements

The following are the requirements for managing password appropriately:

6.1 Password should be at least 8 characters long and should include a combination of upper and lower case letters, numbers and special characters, e.g. ! & , . = < > ' " : ; ? / { } [ ] ~ - \ ( ) _ + $ % ^ * @ #

6.2 Use a different password for each application / system that you use. For example, use one password for a financial application and a different password for an HR application.

6.3 Change the initial or default password given to you when you connect to the network, application or system for the first time.

6.4 Do not share your password with any staff when going on vacation.  A user account should be requested for your substitute if necessary.

6.5 Avoid reusing passwords.

6.6 Passwords should never be made public e.g. written down, stuck to your workstation screen or stored digitally in clear text.

6.7 Do not use the "Remember Password" feature in applications.

6.8 Do not use known information about yourself as a password hint (e.g., "my dog").

6.9 See Appendix A for password communication

6.10 Any suspected or actual incident relating to a password compromise should be reported immediately to the IT Help Desk, and the password should be changed promptly.

6.11 Visit these links to read more on Managing University Passwords and General Password Guidelines.

7.0 Compliance

7.1 The University has an obligation to comply with relevant statutory, legal and contractual requirements.  The Password Policy is part of the Information Security suite of policies, designed to ensure user passwords are managed properly to mitigate any risks to the confidentiality, integrity and availability of University information and information systems.

7.2 Failure to adhere to this policy will be addressed by necessary disciplinary actions in accordance with the University's Staff Disciplinary Procedures, Student Disciplinary

Regulations and Procedures and relevant contractor and third party contractual clauses relating to non-conformance with the Information Security Policy and related policies.

7.3 This policy is related to the following University policies:

a) Information Security Policy

b) Data Protection Policy

c) Risk Management Policy

8.0 Exception

8.1 Any exception to this policy must be approved by the Director of ILS or a nominee in advance.

9.0 Policy Review and Maintenance

9.1 This policy will be reviewed and updated regularly to ensure that it remains appropriate in light of changes to statutory laws, business requirements or contractual obligations.

10.0 Related Policies, Processes and Standards

* Link to University related information security policies, processes and standards

* Link to the Data Protection policy and related documents

Appendix A

Password Communication

  1. Where it is necessary to communicate passwords in writing e.g. via email or text message, reasonable measures must be taken to protect the passwords from unauthorised access such as:
    a. Do not include a password in the same email containing a user ID or a password protected document. Communicate the password through another channel such as by phone, in person or if necessary via a text message
    b. A password recipient should memorise the password to a document and destroy the written record of the password, or a user should reset an authentication password after first login.
  2. When verbally communicating a password, do so privately with the password recipient.

Last Updated: 23 Aug 2017