Password Policy
Standard User Accounts
Standard user accounts (a unique login id, password and job specific system permissions) are assigned directly to users with a need to access various SDSU Research Foundation systems. Passwords are assigned to individual users for exclusive use only and should not be shared with, or delegated to, others. Only the assigned user must know the password to their assigned account. Managers should ensure that users are not asked to reveal their personal passwords, unless it becomes necessary as explained below. While passwords are intended to keep files and records confidential and to restrict access to certain files and records, employees should not conclude that a password is intended to provide them with an expectation that their computers, e-mails, files, etc. are private and may contain personal information that SDSURF management will not access. On the contrary, all computers, e-mail accounts, voicemail accounts, files, etc. are the property of SDSURF and should only be used for business purposes and may be accessed by SDSURF management at any time.
User ids and passwords are used to authenticate individuals accessing systems. When they are used, they serve the same function as if the individual signed a physical piece of paper and presented an id for authentication. Just as you would not allow another individual to use your driver license or identification card and signature, do not allow them to use your user id and password.
Accessing Other User’s Account or Information
There are often legitimate operational needs to delegate authority (back-up coverage, extended absence coverage, shared workloads, etc.) to individual accounts and files. Users should work with their supervisor and the appropriate system administrator to coordinate system permission updates that meet SDSURF’s business needs while also protecting the privacy of user password(s).
- Utilize an application’s (Outlook, etc.) built in functionality to assign delegate permissions. This will allow designated individuals to access your files, but using their own unique user id and password.
- Where system privileges and delegate controls are not directly available to the user (Banner Finance and HR, PI Profile, etc.), users must coordinate with their supervisor to follow existing procedures to request a new account for the delegate or to have the permissions on the designated delegate’s existing account updated.
- If there is a need to access and/or control a terminated or otherwise indisposed individual’s accounts or files, the manager or supervisor may provide a written request to the appropriate system administrator to reset the password of the account being accessed, so that the employee to whom the account belongs will know that it has been accessed.
There are times when it may become necessary for users to provide their passwords to a member of SDSURF management or to our IT department. For example, it may become necessary for SDSURF to access an individual’s accounts or files as part of an investigation of improper or inappropriate activity, or due to a report of infractions of SDSURF policies, or because the employee is absent from work and we need the information contained in those records, or for another legitimate business need. Such access should be approved in advance by the Director of Human Resources and Risk Management or by the Chief Financial Officer. Additionally, users should immediately provide their passwords when requested by SDSURF’s Director of Human Resources, by the Chief Financial Officer, and/or by the Executive Director. User also should immediately provide passwords when requested by a manager in SDSURF’s IT department or when requested by campus police.
Secure Account Usage / Password Protection Standards
Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of SDSURF's entire corporate network. As such, all SDSURF personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any SDSURF facility, has access to the SDSURF network, or stores any non-public information (including contractors and vendors with access to SDSURF systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
- Do not share passwords. All users are responsible for keeping their password confidential. Accounts created for an individual are for the use of that individual only. Users are responsible for any use of their assigned account(s).
- Use different passwords for different systems (e.g. e-mail, Employee Gateway, PI Profile, Banner, etc.) and do not use the same password(s) for both business and personal applications.
- Never use the “remember me on this computer” feature of any applications.
- Do not embed passwords into programs.
- Change passwords often, at least once every six months (or semester).
- Change password immediately if it is suspected to have been compromised, report the incident to your supervisor or computing services personnel immediately.
- Do not re-use passwords for least one year.
- Passwords should never be written down or stored in a file on ANY computer system (including mobile phones, laptops, PDA’s, etc.) without encryption. Try to create passwords that can be easily remembered. Refer to the General Password Construction Guidelines below.
General Password Construction Guidelines
Strong passwords should be selected that are hard for an attacker to guess or crack, and yet is easy to remember without having to write down. Strong passwords combine both length and different types of symbols. Use the entire keyboard to create strong passwords:
- Complexity. The greater the variety of characters in the password, the harder it is to guess or crack. Passwords should contain at least one of each of the following character sets:
- Upper case characters (e.g. A-Z)
- Lower case characters (e.g. a-z)
- Numbers
- Symbols, including punctuation and other special characters such as (, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
- Length. Each character you add to your password increases the protection it provides. Passwords should be at a minimum of eight, but ideally 14 or more alphanumeric characters long.
- Easy to remember. Writing passwords down or storing in computer files increases the risk of compromise. To help you create strong passwords that can be easily remembered try thinking of a sentence, song title, affirmation or other phrase that you will remember to use as the basis of your password or passphrase.
- For example, take the phrase “My son Aiden is three years old.” This could be converted to a strong password by using the first letter of each word to create a string, in this case “msai3YO!”. Notice that the password contains upper and lower case characters, numbers and punctuation, is at least eight characters in length and is easy to remember, making it a strong password. Another variation of the same sentence that is more complex could be “MisunAid_iz3YRS-0ld!”.
- Another good example is the phrase “Oh, I stubbed my toe.” which could become the passphrase (Ohmy!1stubbedmyt0e).
Passwords should not contain the following, which are characteristics of poor and weak passwords:
- Words in any dictionary (English or foreign), spelled forward or backwards. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, profanity, and substitutions.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Words or numbers that are based on personal information: login names, names of family members, pets, friends, co-workers, fantasy characters, birthday, anniversary dates, license plates, phone numbers, etc. This type of information is one of the first things criminals will try, and they can often find it easily online from social networking sites, online resumes, and other public sources of information.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)