Return to: U of M Home |
|
myU | One Stop | Directories | Search U of M |
|
|
|
|
|
|
||||||
|
|
|
|
STANDARDS & GUIDELINES
Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer
STANDARD
A standard is a level of quality that requires conformity.
The Chief Information Officer is designated by the "University Acceptable Use of Information Technology Resources Policy" as the institutional officer responsible to identify standards for access and acceptable use of information technology resources. This standard identifies the minimum password requirements to protect University data and systems. It applies to all electronic devices and systems connected to the University network including computers, network switches and routers, personal digital assistant devices, laptop computers, password authenticated software, etc.
Passwords are used on University devices and systems to facilitate authentication, i.e. helping ensure that the person is who they say they are. The security of University data is highly dependent upon the secrecy and characteristics of the password. Compromised passwords can result in loss of data, denial of service for other users, or attacks directed at other Internet users from a compromised machine. Compromised passwords can also result in the inappropriate disclosure of private data such as private student data, research participant data, and private employee data. To protect against these risks, the Chief Information Officer has approved this standard.
A password or passphrase or other strong authentication must be used for all devices supporting authentication and password authenticated software connected to the University network.
A password or passphrase must be eight or more characters long. Longer passwords are even better to protect against automated programs that try all the possible combinations of characters (called “brute force cracking”).
Passwords or passphrases must be periodically changed as required by each system, but at least annually.
A password or passphrase must be complex (e.g. include a combination of character types such as numbers, special characters, lower case letters, upper case letters, non-keyboard characters) to help protect against automated cracking.
A minimum of three types of characters (e.g. lower case letters, numbers, special) should be used for passwords.
Systems should protect against “brute force” password guessing programs from the network and Internet. Whenever possible, systems should lock a user's account if the user fails to login to the system within a specified number of attempts. The lockout may either be for a designated amount of time or until the account is reset.
Do not share the password assigned to you.
Adherence to password requirements is reviewed as part of the normal University audit procedures. Collegiate and departmental technology support staff as well as OIT can be contacted for additional questions (contact OIT by dialing 1-HELP, 612-301-4357).
|
||||
|
