Password Policy
- No password expiration date
- Password minimum length of 14 characters (no required characters, numbers, or special characters)
- Passwords checked against known compromised passwords ()
- Requires password changes in the event of a suspected compromise
** Any password change using ReACT must adhere to the old password policy requirements **
August 2023
Purpose
This policy describes the requirements for passwords that provide access to 51ÁÔÆæ computer systems and institutional data. Adherence to this policy will increase the security of information shared by the 51ÁÔÆæ community.
Scope
This policy applies to all faculty, staff, and students at 51ÁÔÆæ and all computer systems (except those excluded below) that have accounts relating to official college business, including both internal and external systems.
Requirements
These password requirements are the same for all accounts managed by 51ÁÔÆæ. These include, but are not limited to, accounts for: students, employees, departmental accounts, sponsored accounts, alumni, registered guests, trustees, and retirees.
Length and Complexity
- Length: 14 character minimum, 100 character maximum
- Complexity: no complexity requirements
- Examples of acceptable passwords:
- I love 51ÁÔÆæ!
- 1812hamiltoncollege
- have you ever seen the rain?
- WHYAREYOUYELLINGATME?
- This is my new password
- oneP@ssW0rd2023
Valid passwords:
- Must not contain your username
- Must not repeat a character more than 3 times in a row
- Not be included in a list of compromised passwords
- Not be a commonly-used password, or a derivative of a commonly-used password (e.g. password1234, qwerty54321)
Password Expiration
- In accordance with (Digital Identity Guidelines, 2017), 51ÁÔÆæ will not require regular password expiration. The use of strong, unique passwords, along with Multi-Factor Authentication, are used to bolster the security of passwords. By focusing on longer, more complex passwords and encouraging users to regularly update their passwords only in the event of a known compromise or suspected breach, we aim to strike a balance between usability and maintaining a robust security posture. Passwords managed by 51ÁÔÆæ’s identity system will not expire for most users.
Note: There may be other systems that require regular password changes due to compliance or stronger security considerations.
History (reuse)
- Passwords cannot be reused for 90 days
- Passwords cannot be reused in the last 24 password changes
Lockout
Accounts will be “locked” after 10 failed login attempts. Lockout will expire automatically after 10 minutes, or can be manually unlocked by contacting the 51ÁÔÆæ Help Desk.
Password Screening
All new passwords will be automatically screened against lists of commonly used passwords and screened against known breaches using publicly available databases that compile breached passwords. These databases aggregate data from various breaches and provide insights into compromised passwords.Passwords that are identified as commonly used or included in a previous compromised data breach will not be allowed.
Suspected Compromised Passwords
To ensure the utmost security of our systems and protect sensitive information as outlined in NIST Special Publication 800-63B, 51ÁÔÆæ requires users to promptly change their passwords in the event of a suspected compromise. Examples of such compromises include instances where credentials have been included in a known data breach, falling victim to a controlled phishing campaign, or any other situation that could potentially jeopardize the integrity of user accounts. By promptly responding to suspected compromises and updating passwords, we mitigate the risk of unauthorized access and safeguard the confidentiality of our users' accounts and data.
Identity and Access Management System
51ÁÔÆæ uses the Rapid Identity (RI) system for our identity and access management system. RI will:
- enforce the requirements of this password policy
- facilitate changing of passwords
- allow reset of a forgotten password
- unlock accounts
- synchronize passwords changes across connected systems
- send email reminders about expiring passwords
Password Guidance
Your password:
- Is used for your login to the College network, HillConnect, Google Workspace for Education, and connected systems (e.g., Single Sign-On, Blackboard, Self-Service, My 51ÁÔÆæ, campus wireless network, interlibrary loan and the library catalog).
- Should not be used with other non-51ÁÔÆæ systems, e.g. personal Gmail, personal banking.
- Must not be equal to your current 51ÁÔÆæ password or any of the last 24 51ÁÔÆæ passwords you have used.
51ÁÔÆæ requires all students and employees to use Cisco Duo for Multi-Factor protection.
Password or passphrase?
Consider using a passphrase: unrelated words, at least four characters long, with mixed capitalization, separated by punctuation or spaces.
A passphrase is basically just a series of words, which can include spaces, that you use instead of a single pass “word.”
Passphrases should be at least 14 to 100 characters in length (spaces count as characters), but no less. Longer is better because, although passphrases look simple, the increased length provides so many possible permutations that a standard password-cracking program will be ineffective.
Exclusions
There are some systems on campus that are excluded from this policy. System owners of these systems are required to implement compensating controls for access to those systems that, at least, meet the minimum requirements set forth in this Password Policy.
Approved: August 2023
Last Reviewed: August 2023