Password Policy

This policy sets out the password requirements for University IT account, personal and third-party accounts related to accessing and federating to University systems, network, and computer devices.

Updated May 2021

Approved by the University's Corporate Management Team

1. INTRODUCTION

1.1  This policy supports the Digital Services Cyber Essentials certification principles to ensure that passwords used to access computer resources are selected, maintained, and updated in line with the university security profile standards.

1.2  The University ICT Acceptable Use Policy state that Users must take all necessary steps to protect and maintain the security of any equipment, software, data, storage area and/or passwords allocated for their use. This policy dictates the minimum that a user must do to conform to this requirement when selecting and updating a password.

1.3   Password policies are used to mitigate possible attacks against the University network infrastructure and the data held within it. Use of long, complex passwords helps to mitigate attacks that attempt to guess passwords, and regular password changes to mitigate long term exploitation of any disclosed or discovered passwords.

1.4  This policy therefore aims to provide a policy and guidance on password structure, technical standards and technology required to keep the university IT network secure and confidential.

2. PASSWORD SELECTION

2.2  To protect University systems and data, users must select a password that is secure and difficult to guess. In accordance with security best practice the following rules are mandatory:

  • All passwords should have a minimum of twelve characters.
  • Each password must contain a combination of at least three out of four character sets:
    • uppercase characters (A through to Z)
    • lowercase characters (a through to z)
    • numerical digits (0 through to 9)
    • non-alphabetical characters (eg. ! $ # % @ +)
    • Previous passwords used for a University system must not be re-used.

2.2  In addition, while not actively enforced by the password creation process. Accounts created for use on external online resources must not use the same password for University authentication. Passwords must not be something that can easily by guessed (avoid using your name, children or a pet’s name, car registration number, football team, etc.). Password maximum length is not limited by policy and is determined by user preference.

2.3  This policy covers the password requirements for all systems and applications used within the University including third-party externally hosted applications. The password policy will be reviewed every 12 months to ensure that the security setting remain relevant and applicable to technologies, applications and services utilized by the University.

2.4  See Appendix A for a complete list of enforced password settings.

3. CHANGING A PASSWORD

3.1  Passwords must be changed regularly to mitigate the long-term exploitation of any disclosed or discovered passwords. It is recommended those passwords are changed in line with application requirements.

3.2  The University is migrating to a more complex and secure password requirement, all IT accounts will be required to comply with these new security standards, these standards will be applied at user password selection procedures which will be implemented at password renewal stages. Security requirements will be reviewed, and changes implemented where necessary to maintain account security and in order to defend against complex attack vectors designed to compromise user account.

3.3  Password use will be monitored by the University and where possible account compromise is identified from data analysis or third-party reports the IT account password will be immediately changed and the Compromised IT Account procedure will be invoked from the Incident Response Policy documented procedures.

3.4  Passwords are the mechanism used to protect the security of University systems and must be protected.

  • Passwords must be kept secret
  • Passwords must not be written in a form that others could identify
  • Passwords must not be stored electronically in a non-encrypted format
  • Passwords may be stored in password management applications where appropriate
  • Passwords must never be shared with others
  • Care should be taken to prevent anyone from watching you type your password
  • Devices should not be left unattended and unlocked in public spaces or communal areas.
4. ENFORCED PASSWORD SETTINGS AND RATIONALE

4.1  This policy relates to University accounts and is enforced by security settings within the authentication system. The settings and the rationale for determining them for each category of user is detailed in the tables below:

4.2  The University operates two general types of user accounts:

  • Student Accounts
  • Staff Accounts.
APPENDIX A

1. STUDENT ACCOUNTS - PASSWORD SETTINGS

CONTROLSETTING RATIONALE
Minimum password length 12 characters In line with recommended minimum password sizes, to reduce the risk of dictionary attacks. Control selected in compliance with recommendations from the University external Cyber Security professional service provider.
Minimum password age 0 days To allow immediate changing of password following help desk reset.
Maximum password age In line with application requirements To allow passwords to be utilized across multiple applications.
Password history 24 passwords To prevent the same password from being re-used (Note this is the maximum possible value).
Password Complexity Enabled To enforce stronger passwords (three of uppercase, lowercase, numbers, symbols).
Change password at first use No Disabled to simplify logon process for distance learners and enrolment.
Account lockout 30 minutes automatic. Account Lockout after 8 bad passwords. To prevent dictionary attacks without impacting on student engagement.

2. STAFF ACCOUNT - PASSWORD SETTINGS

CONTROLSETTING RATIONALE
Minimum password length 12 characters In line with recommended minimum password sizes, to reduce the risk of dictionary attacks. Control selected in compliance with recommendations from the University external Cyber Security professional service provider.
Minimum password age 0 days To allow immediate changing of password following help desk reset.
Maximum password age In line with application requirements To allow passwords to be utilized across multiple applications.
Password history 24 passwords To prevent the same password from being re-used (Note this is the maximum possible value).
Password Complexity Enabled To enforce stronger passwords (three of uppercase, lowercase, numbers, symbols).
Change password at first use No To support wholly offsite users, including partner colleges and external examiners.
Account lockout 30 minutes automatic. Account Lockout after 8 bad passwords. To prevent dictionary attacks.