Password Policy

Purpose

This policy defines the requirement to create appropriate passwords for use on the Black Hills State University (BHSU) Information Technology (IT) Systems and to use and protect them in an appropriate manner in order to ensure that confidential information and technologies are not compromised and that services and other Black Hills State University interests are protected.

Scope

The scope of this policy applies to all students, faculty, staff, and guests of Black Hills State University who have any form of information system account that requires password access. This includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at or connected through any Black Hills State University facility, or has access to the Black Hills State University network, or stores any non-public Black Hills State University information.

Policy

General

  • Password construction, lifecycle and re-use parameters will be variable according to the classification of the system or data that they are intended to protect.
  • Passwords should not be based on well-known or easily accessible information, including personal information, nor should they be words commonly found within a standard dictionary.
  • Usernames and passwords should never be left as a “default”.  Community strings, where used, should be defined as something other than the standard defaults, and must be different from the passwords used to log in interactively.
  • BHSU will use appropriate measures to ensure that users conform to the policy.

Password Construction Guidelines

Passwords must be a minimum of eight (8) characters is length. Further, these passwords must use at least three of the five character types, those being lower case letters, upper case letters, numbers, Unicode characters, and special characters.  Passwords cannot contain more than three characters from the user’s account name.

Password Lifecycle Guidelines

Passwords will have a maximum age of 90 days and a minimum age of two (2) days. As such, passwords must be changed every three (3) months and cannot be changed more frequently than every two (2) days.

Password Reuse Guidelines

Passwords may be reused every eleventh password. As such a completely new password is required for the first ten expiries; thereafter the first password can be reused. “Completely new” is defined as having at least fifty percent (50%) of the characters different from the previous password.

Password Protection Guidelines

Passwords are to be treated as confidential information.  Under no circumstances will any member of the organization request a passwordUnder no circumstances is a student, faculty, staff, or guest permitted to reveal, tell, or hint at their password to another person, including IT staff, administrators, superiors, other co-workers, friends, and family members.

Passwords are not to be transmitted electronically over the unprotected network, such as via e-mail. However, passwords may be used to gain remote access to company resources via the company’s Virtual Private Network or SSL-protected Web site.

No student, faculty, staff, or guest is to keep an unsecured written record of his or her passwords, either on paper or in an electronic file. If it proves necessary to keep a record of a password, then it must be kept in a controlled access secure environment if in hardcopy form or in an encrypted file if in electronic form.

Do not use the “Remember Password” feature of applications, unless access to the system hosting the application is, itself, password protected. 

Passwords used to gain access to BHSU systems are not to be used as passwords to access non-BHSU accounts or information. Similarly, passwords used to secure personal, non-BHSU related accounts are not to be used to access BHSU accounts.

Each application, system and data point having its own account should be protected by a different password where possible. The use of the same password to protect different identities is strongly discouraged.

If a user knows or suspects that his/her password has been compromised, it must be reported to NCS and the password changed immediately. If the minimum aging requirement has not been met for the password, NCS will reset the minimum aging for the account allowing the user to create a new password.

Enforcement

Compliance shall ensure Users receive competent and effective service. Noncompliance will result in revocation of network access.  Any student/employee/faculty member who is found to have violated this policy will be subject to disciplinary action, up to and including expulsion or termination of employment, as provided by the Student/Employee Handbook and the Conduct Code as outlined by the South Dakota Board of Regents.

Revision History

  1. March 16, 2005
  1. February 13, 2013 (Clerical Corrections)
  1. April 23, 2013 (Major revision)
  1. November 5, 2013 (Clerical Corrections)
  1. May 6, 2015 (Major revision)