Password Policy

Policy Statement

This policy outlines password management requirements for College user accounts.

Rationale

Passwords are a common means of authenticating a user’s identity when accessing information systems. Password standards need to be implemented to ensure all authorized individuals accessing College resources follow proven password management practices. These password rules must be mandated by automated system controls whenever possible.


Applicability of the Policy

This policy applies to all SUNY Oneonta faculty, staff, students, and all other users of the college’s information systems.


Policy Elaboration

To ensure proper password management, the following password standards will be implemented where technically feasible:

  • Password cannot be the same as user-id, or contain a portion of the user’s name
  • Password length minimum of 12 characters
  • Where technically possible, user password selections will be checked against a prohibited list of known common passwords
  • Cannot use a password equal to any of the account’s last twenty-five (25) passwords
  • Account lockout after detection of suspicious login attempt behavior
  • Account lockout duration – 15 minutes, or until reset by authorized person
  • Passwords should not be written down
  • User account passwords must be kept confidential – they must not be shared with another user
  • Accounts created for shared purposes (club accounts, office accounts, etc.) must have their passwords changed at the end of each academic year, or when a member with knowledge of the password leaves the organization.
  • Temporary passwords must be changed at the first login
  • A password reset will be forced in the case of a detected behavior suggesting possible account compromise
  • A user who requests a password reset must be have their identity verified before the request is granted

Definitions

Suspicious login attempt behavior - Login attempt patterns identified by IT Security as indicators of attempted compromise. For example, excessive failed login attempts in a given time frame that would suggest a brute-force attempt to guess an account password.

Contacts

Questions related to the daily operational interpretation of this policy should be directed to:

ITS – IT Security
(607) ­436-­3203

Effective Dates

Approved by the President/Provost on 01/14/2020

Policy will be reviewed in Spring 2020

Back to top