Policies and Procedures Manual 2023-2024

Contents
Catalog Links
Share

3.51 Password Policy

Purpose

The purpose of this document is to provide a set of minimum security standards governing the use of passwords for Piedmont University information technology systems. This document is intended to offer minimum standards for system and application administrators and developers. All parties are encouraged to apply more stringent controls than those outlined below in accordance with the security needs of the system and the information being stored or accessed. Regulatory, compliance or grant requirements supersede any standards defined below.

 

Standards

Scope and Intent

This section is intended to provide guidance for systems and applications that utilize a username and password for authentication and authorization. For many systems, these settings are customizable and must be configured before a system goes into production or stores institutional information. Systems that utilize a Piedmont University ID for authentication can assume these requirements are met as part of the service provided.

 

Password requirements for standard accounts

  • Passwords may never be stored in plain text. Passwords must be stored using industry-standard hashing and salting methodologies.
  • Passwords must be encrypted and/or hashed while in transit to the authenticating system.
  • Passwords should not be displayed in plain text as they are being entered.
  • Passwords must adhere to the following complexity rules:
  • Must be at least 8 characters long but do not go over 16 characters in length.
  • Must have at least one capital letter and one lower case letter
  • Must have at least one number.
  • Do not use special characters. (Example - !,@,#,$,%,^)
  • You can’t have 3 characters in a row from the previous password. (Example – Do not use the last four digits of your SSN or the word Piedmont in the new password)

 

Password requirements for administrative accounts

In addition to the requirements for standard accounts:

  • Passwords may not be re-used for a period of 12 months.
  • Accounts must use Multi-Factor Authentication (MFA) where possible.

 

Password requirements for service accounts

Service-based accounts are those used for automation, monitoring, and other non-interactive tasks not performed by an individual.

In addition to the requirements for standard accounts:

  • Passwords must be at least 16 characters.
  • User IDs and passwords shall never be used through an interactive login mechanism except for testing/setup purposes.
  • Service accounts must have a responsible point of contact or sponsor.
  • Service accounts must be reviewed annually to ensure they are properly used, secured, and necessary.

 

Initial Account Provisioning

Newly provisioned user accounts must have a secure password set by the account holder. This may be accomplished via an activation method that allows the account holder to set a password (before which the account is not usable), secure transmission of an initial password to the account holder, a small expiration window for an initial password, and/or manual intervention of support resources.

If an initial account password is set before account handoff to the account holder:

  • Account-holders must have the ability to either activate an account and set a password before use or require users to set a password during initial access to a system. Service accounts may be considered exempt from this requirement.
  • All vendor-supplied passwords, including service accounts, must be changed as soon as possible after system/application deployment and before becoming operational.

 

Password Protection

To ensure that the intended account holder is the authorized holder of a password or credential, distribution or reset should occur only after a reasonable effort has been made to verify the identity of the account holder.

Individuals should be confirmed as the intended recipient by contact via an authorized work phone number, verification of personal data, photo ID, or similar means.

Where possible, passwords should be maintained by the individual through automated means that uses either pre-existing answers to a set of questions or a secondary channel meant to confirm someone’s identity, such as a one-time password sent to a registered person’s device. If an automated process is not available, initial or reset passwords may be communicated via:

  • Mail (sealed envelope)
  • Encrypted file transfer (e.g., LastPass or similar)
  • Verbal conversation, either a phone call to the authorized work telephone number or in-person communication 

Up one level