Password Policy

Approved by President/Provost
Review again

Policy Contact
ITS Security and Client Computing
(607) ­436-­3203

Policy Statement

This policy outlines password management requirements for SUNY Oneonta user accounts.


Passwords are a common means of authenticating a user’s identity when accessing information systems. Password standards need to be implemented to ensure all authorized individuals accessing SUNY Oneonta resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.

Applicability of the Policy

This policy applies to all SUNY Oneonta faculty, staff, students, and all other users of relevant information systems.

Policy Elaboration

To ensure proper password management, the following password standards will be implemented where technically feasible:

  • Password cannot be the same as user-id, or contain a portion of the user’s name
  • Password length minimum of 12 characters
  • Where technically possible, user password selections will be checked against a prohibited list of known common passwords
  • Cannot use a password equal to any of the account’s last twenty-five (25) passwords
  • Account lockout after detection of suspicious login attempt behavior
  • Account lockout duration – 15 minutes, or until reset by authorized person
  • Passwords should not be written down
  • User account passwords must be kept confidential – they must not be shared with another user
  • Accounts created for shared purposes (club accounts, office accounts, etc.) must have their passwords changed at the end of each academic year, or when a member with knowledge of the password leaves the organization.
  • Temporary passwords must be changed at the first login
  • A password reset will be forced in the case of a detected behavior suggesting possible account compromise
  • A user who requests a password reset must be have their identity verified before the request is granted


Suspicious login attempt behavior - Login attempt patterns identified by ITS Security and Client Computing as indicators of attempted compromise. For example, excessive failed login attempts in a given time frame that would suggest a brute-force attempt to guess an account password.


Questions related to the daily operational interpretation of this policy should be directed to:

ITS Security and Client Computing
(607) ­436-­3203

Effective Dates

Approved by the President/Provost on 4/8/2020

Back to top