Password Management of University Computer Accounts

PURPOSE
The purpose of this document is to establish policy for password management of University computer accounts by faculty, administrators, staff and students.

BACKGROUND
Members of the University community are responsible for all actions performed using their computer account. It is imperative, therefore, that faculty, administrators, staff and students protect their passwords and under no circumstances should a password be shared with anyone. If you suspect that your password has been compromised, it is your responsibility to immediately reset your password using the “Forget Password?” link on the MySJU login page at http://my.sju.edu.

It is important that all users select a strong password, i.e. one that is difficult to guess. A strong password is one that is at least eight characters in length, contains both upper and lower case characters, includes at least one numeric and one alphabetic character and includes at least one special character (e.g. !@$). You should avoid using a password that can be found in a standard dictionary or that is based on personal information such as a family name, pet or birth date.

Users should not write down their password on paper or store passwords on personal computers in an unencrypted fashion. All users are required to change their passwords periodically. Most faculty administrators, staff and students are required to change their password annually while users of the University’s Banner system must change their passwords more frequently. When changing your password, you are required to establish a new password which is suitably complex and has not been recently used.

POLICY

Periodic Password Changes
All employees who have direct access to the Banner information system must change their computer account password semi-annually. All other faculty, employees and students will be required to change their password once each year.

When a password is set to expire, an email notification will be sent informing the user that his/her password must be changed. Users with expired passwords will be prompted to change their password the next time that they log into MySJU, the University’s information portal. In fact, the password must be changed before users can access any portal service.

Password Complexity
New passwords must have a minimum length of six characters, must have at least one number and one alphabetic character, and cannot contain any of the following “special” characters: ` (backquote), \ (backslash), & (ampersand), ' (apostrophe). In addition, users will be required to change at least three characters from their previous password.

Reuse of Passwords
Faculty, students and employees may not recycle passwords that were recently used. Specifically, users may not recycle previously-used passwords for two years.