Home About Clarkson Academics Campus Life Research & Innovation Admission

Password Policy

Clarkson University » OIT » Policies & Guidelines

1.0 Overview
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Clarkson's entire network. As such, all Clarkson faculty, staff, students, (including contractors and vendors with access to Clarkson systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Clarkson facility, has access to the Clarkson network, or stores any non-public Clarkson information.

4.0 Policy

All student, user-level passwords must follow the requirements below:
- Must contain at least 8 characters
- Must contain a mix of upper-case, lower-case, and number/symbols
- Must not contain a word in any language, slang, dialect, jargon, etc.
- Must not contain a sequence, forwards or backwards (e.g., 1234, abcd)
- Encouraged to be changed every 365 days (1 year)
All faculty/staff, user-level password must follow all requirements for student, user-level passwords, plus the requirements below:
- Must be changed every 365 days (1 year)
- Must be different from the most-recent password (1 password history retained)
All system-level/administrator passwords must follow all requirements for student, user-level passwords, plus the requirements below:
- Must contain at least 16 characters
- Must be changed every 182 days (6 months)
- Must be different from the 20 most-recent passwords (20 password histories retained)
Passwords must not be inserted into external email messages or other forms of external electronic communication.

5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6.0 Definitions
Application Administration Account — Any account that is for the administration of an application (e.g. Active Directory Admin, AFS root, etc.)

7.0 Revision History

Draft Policy v0.1 — Apr 2003 — rporter
Draft Policy v0.2 — 18 Apr 2006 — jfiske
Draft Policy v0.3 — 28 Aug 2007 — jfiske
Approved Policy v1.0 — 07 Sept 2007 — jfiske