Policy 912 - Password Policy

Section: Information Technology
Policy Number: 912
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

The purpose of this policy is to establish a set of rules to enhance security best practices by encouraging the creation of strong passwords, the protection of passwords, and the frequency of changing passwords.

Scope and Applicability

This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.


Users with access to St. John’s systems must take appropriate steps to protect their passwords. Password-based authentication mechanisms are also vulnerable to compromise due to the following types of malicious activity:

  • Password guessing using a dictionary attack or attributes known about the user
  • Social engineering, e.g., manipulating a user to obtain a password
  • Interception during password transmission 

It is vital for the protection of St. John’s systems and data that controls are in place to ensure a password remains secure. Passwords can be intercepted during transmission or be stolen while in storage on a disk. St. John’s has implemented practical standards and mechanisms to enforce secure password creation, protection and management.  

Multi-Factor Authentication (MFA) is implemented to securely protect St. John’s sensitive data such as cardholder data. 

All passwords have the following characteristics:

  • Require a minimum length of at least 10 characters 
  • Contain at least two of the following:
    • Upper and lower case characters
    • At least one number or one special character.

The following requirements also apply to the management of passwords:

  • Passwords are changed after 180 days
  • No reuse of passwords from the last five used
  • After 5 unsuccessful login attempts are made the user account will be locked out 
  • Account lockout is set for a duration of 30 minutes. Contact Support Services to unlock the account once a user has been verified.
  • If a session has been idle for a period of 60 minutes for faculty members and 15 minutes for other employees, the user is required to re-authenticate. 
  • Newly-issued passwords are subject to change immediately after first use
  • System default accounts/passwords are manually disabled/changed immediately as part of initial setup and configuration 
  • A ‘challenge/response’ process is used by the IT department upon password reset requests to ensure the identity of the staff member
  • All passwords are disabled/changed in test and development systems when promoted into the live environment


The following are the definitions relevant to the policy:

  • Expired Password: A password that must be changed by the user before login can be completed.  Each password will be set to expire within 180 days unless administered within a system that processes Sensitive Information.
  • Password: A character string used to authenticate an identity.  Knowledge of the password in association with a unique User ID will be minimum proof of authorization to access systems, resources, and capabilities associated with that User ID.
  • Password System: A system that manages user accounts, confirms user authentication and enables system access according to policy. Assurance of unequivocal identification is based on the user's ability to enter a private password that no one else knows.
  • User ID: A unique character string assigned to a user and used by an IT system to uniquely identify each user. The security provided by a password system will not rely on the secrecy of the user's ID.


The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • 910 Remote Access Policy
  • 903 Access Control Policy
  • 916 Third Party Services Policy