Password Policy

1. Overview

Passwords are an important aspect of computer security.  A poorly chosen password may result in unauthorized access and/or exploitation of Academy of Holy Angels (AHA) resources.  All users, including students, staff, contractors and vendors with access to AHA systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. 

2. Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3. Scope

The scope of this policy includes all students and personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any AHA facility, has access to the AHA network, or stores any nonpublic AHA information. It applies to employees, contractors, consultants, temporary and other workers at AHA, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, and network logins.

4. Policy

4.1         Password Creation

4.1.1 All user-level and system-level passwords must conform to the Password Construction Guidelines in section 6.

4.1.2 Users must not use the same password for AHA accounts as for other non-AHA access (for example, personal email or social media accounts).

4.1.3 Where possible, users must not use the same password for various AHA access needs.

4.1.4 User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user to access system-level privileges.

4.2         Password Change

4.2.1 All system-level passwords (for example, Administrator) should be changed at least every six months.

4.2.2 All user-level passwords (for example, email, web, desktop computer) should be changed at least every six months.

4.2.3 Password cracking or guessing may be performed on a periodic or random basis by the AHA Technology Department or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with the Password Construction Guidelines in section 6.

4.3        Password Protection

4.3.1 Passwords should not be shared with anyone. All passwords are to be treated as sensitive, Confidential AHA information.

4.3.2 Passwords must not be inserted into email messages or other forms of electronic communication without proper AHA Technology Department approved encryption.

4.3.3 Passwords must not be revealed over the phone to anyone. 

4.3.4 Do not reveal a password on questionnaires or security forms. 

4.3.5 Do not hint at the format of a password (for example, "my family name").

4.3.6 Do not share AHA passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation.

4.3.7 Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without proper AHA Technology Department approved encryption.

4.3.8 Do not use the "Remember Password" feature of applications (for example, web browsers).

4.3.9 Any user suspecting that his/her password may have been compromised must report the incident to AHA Technology Department immediately and change all passwords.

4.4Use of Passwords and Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access. 

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks." 

A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: 

"The*?#>*@TrafficOnThe101Was*&#!#ThisMorning" 

All of the rules above that apply to passwords apply to passphrases.

5. Policy Compliance

5.1Compliance Measurement

AHA Technology Department will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner. 

5.2Exceptions

Any exception to the policy must be approved by the AHA Technology Department in advance. 

5.3Non-Compliance

AHA students, faculty, or staff found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, suspension, and/or expulsion.

6. Password Construction Guidelines

These guidelines provide best practices for creating secure passwords. All passwords should meet or exceed the following strong password guidelines.

Strong passwords have the following characteristics:

  • Contain at least 8 alphanumeric characters.
  • Contain both upper and lower case letters.
  • Contain at least one number (for example, 0-9).
  • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:";'<>?,/).

Poor, or weak, passwords have the following characteristics and should not be used:

  • Contain less than eight characters.
  • Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
  • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
  • Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
  • Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
  • Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
  • Are some version of “Welcome123” “Password123” “Changeme123”

Try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.

*NOTE: Do not use any examples in this policy as passwords!

7. Revision History

1/22/15 lj, 7/16/15 ga