Overview

Passwords are a critical aspect of electronic security forming the front line of protection for user accounts. A poorly chosen password can result in the compromise of Rockhurst University's entire network. As such, all Rockhurst University students, and employees (including contractors and vendors with access to Rockhurst University systems) are responsible for selecting and securing their passwords.

Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

Scope

This policy governs all faculty, students, staff, vendors, contractors, and any other person allowed access to Rockhurst University information assets.  All University personnel and external parties involved with using, requesting, approving, or accessing Rockhurst University information assets, should be aware of this policy.

Each user must set a unique password for access to Rockhurst University's electronic systems. A user should never divulge their password to another person or reuse their password on non-Rockhurst accounts either verbally or in a textual message.

Passwords and any other sensitive information should never be included in an e-mail message as most e-mail messages travel the internet in clear text.

General Password Requirements

  1. All user-level passwords (e.g., email, web, desktop computer, etc.) need to be changed no less than annually or if a password has been compromised.  
  2. Each password must exhibit complexity by:
    • Not containing all or part of the user's account name
    • Not containing commonly used passwords or dictionary words in the organizational block list
    • Contain characters from three of the four following categories:
      • Uppercase characters (A through Z)
      • Lowercase characters (a through z)
      • Base 10 digits (0 through 9)
      • Special characters limited to *, !, @, #, $., %, &) or No spaces, punctuation or special characters
  • Must not be a password previously used in the last 5 passwords
  • Must be a minimum of 12 characters long
  1. Users will be locked out if there are more than 5 unsuccessful attempted logons within an hour.
  2. All temporary passwords must be changed at first logon.
  3. If an account or password is suspected to have been compromised, report the incident to IT Services and immediately change all associated passwords.  Your Rockhurst password can be changed by going to https://my.rockhurst.edu and clicking the appropriate forgot password link under the login info.
  4. Automated password guessing may be performed on a periodic or random basis by IT Services Management or its delegates. If a password is guessed during one of these scans, the user will be required to change it. 


Technology-specific Password Requirements

  1. All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a biennial (every other year) basis.
  2. All production system-level passwords must be part of the IT Services administered global password management database.
  3. Applications with sensitive data will have automatic log-offs after a predetermined period of inactivity; username and password will be required for re-authentication.
  4. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
  5. Username and password combinations must not be inserted into email messages or other forms of electronic communication unless the message is encrypted.
  6. Where SNMP (Simple Network Management Protocol) is used to monitor servers, network, and storage devices, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used for interactive logins. A keyed hash, or SNMP user accounts and encryption, must be used where available (e.g., SNMP v2 or SNMP v3).
  7. Application developers must ensure their programs contain the following security precautions. All applications:
  • should support authentication of individual users, not groups.
  • should not store passwords in clear text or in any easily reversible form.
  • should provide for some sort of role management, so that one user can take over the functions of another user without having to know the other's password.
  • should support Active Directory, or SAMLv2, and wherever possible should support multifactor authentication. 

University faculty, staff, students, vendors, and contractors are expected to implement this policy and follow the guidelines provided by the Rockhurst University Acceptable Use Policy in conjunction with any additional policies, procedures, and guidelines provided on the Information Technology Services website.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Exceptions

Exceptions to this policy may be granted to individuals or departments that manage and maintain their own IT resources.  Please contact the Computer Services Help Desk, helpdesk@rockhurst.edu, to request an exception.