Policy 912 - Password Policy

Section: Information Technology
Policy Number: 912
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20

Policy Statement

The purpose of this policy is to establish a set of rules to enhance security best practices by encouraging the creation of strong passwords, the protection of passwords, and frequency for changing passwords.

Scope and Applicability

This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of the St. John’s University (St. John’s) information assets, and protects the interest of St. John’s, its customers, personnel, and business partners.

Policy

Users with access to St. John’s systems must take appropriate steps to protect their passwords.  Password-based authentication mechanisms are also vulnerable to compromise due to the following types of malicious activity:

  • Password guessing using a dictionary attack or attributes known about the user 
  • Social engineering, e.g., manipulating a user to obtain a password
  • Interception during password transmission 

For the protection of St. John’s systems and data, it is vital that controls are in place to ensure a password remains secure. Passwords can be intercepted during transmission or be stolen while in storage on a disk. St. John’s implements practical standards and mechanisms to enforce secure password creation, protection, and management.  

Multi-Factor Authentication (MFA) is implemented to securely protect St. John’s sensitive data such as cardholder data. 

All passwords have the following characteristics:

  • Require a minimum length of at least 10 characters 
  • Contain at least two of the following:
    • Upper and lower case characters
    • At least one number or one special character

The following requirements also apply to the management of passwords:

  • Passwords are changed after 180 days.
     
  • No reuse of passwords from the last five used.
     
  • After 5 unsuccessful login attempts, the user account will be locked.
     
  • Account lockout is set for a duration of 30 minutes. Support Services must be contacted to verify the user and to unlock the account.
     
  • If a session has been idle for a period of 60 minutes for faculty members and 15 minutes for other employees, the user is required to re-authenticate.
     
  • Newly-issued passwords must be changed immediately after first use.
     
  • System default accounts/passwords are manually disabled/changed immediately as part of initial setup and configuration. 
     
  • A ‘challenge/response’ process is used by the IT department upon password reset requests to verify the identity of the staff member.
     
  • All passwords are disabled/changed in test and development systems when promoted into the live environment.

Definitions

The following are definitions relevant to the policy:

  • Institutional Data: All data owned or licensed by the St. John’s.
     
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing St. John’s network services, and other authorized users.
     
  • Expired Password: A password that must be changed by the user before login can be completed.  Each password will be set to expire within 180 days unless administered within a system that processes Sensitive Information.
     
  • Password: A character string used to authenticate an identity.  Knowledge of the password in association with a unique User ID will be minimum proof of authorization to access systems, resources, and capabilities associated with that User ID.
     
  • Password System: A system that manages user accounts, confirms user authentication and enables system access according to policy. Assurance of unequivocal identification is based on the user's ability to enter a private password that no one else knows.
     
  • User ID: A unique character string assigned to a user and used by an IT system to uniquely identify each user. The security provided by a password system will not rely on the secrecy of the user's ID.

Compliance

St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to, reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.

Related Policies, Standards or Regulations