The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
The scope of this policy includes:
- All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any University of Kansas facility;
- All individuals who have access to the University of Kansas network; and
- All systems that store any non-public KU information.
Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various network resources at the University of Kansas, including user-level accounts, web accounts, email accounts, screen saver protection, and local router logins.
A poorly chosen password may result in the compromise of University systems, data, or the network. Therefore, all KU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them. Contractors and vendors with access to University systems also are expected to observe these requirements.
A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources. The Information Technology Security Office can require a more restrictive policy in protection of confidential information or data as defined in the Data Classification and Handling Policy.
Creation of Passwords
Passwords created by users of University systems, and on systems where technology makes it possible, should conform to the following guidelines:
- Must be different from the user’s login name or the reverse of the name and must avoid use of knowable personal information (names of family, etc.).
- Must be at least seven characters.
- Must include digits (0-9), and both upper and lower case characters (a-z, A-Z).
- Must use a special character (Examples: *, &, %, or $).
These provisions will be enforced electronically whenever possible. For additional assistance in creating a secure password, please refer to http://www.security.ku.edu/.
Passwords should be changed once a semester (Fall and Spring). The new password must differ from the old password by at least three characters. Passwords are not allowed to be repeated within one year.
- Those entities required to be Payment Card Industry (PCI) Data Security Standard (DSS) or Health Insurance Portability and Accountability Act (HIPAA) compliant by the Information Technology Security Office (ITSO) shall require their user passwords to be changed at a minimum every 90 days.
- Those entities required to be PCI/DSS or HIPAA compliant by the ITSO shall require their users may not use a new password that is the same as any of the previous four passwords.
- All default passwords shall be changed to meet the current password requirements. No default passwords shall remain in effect after the required initial usage. Default passwords are those that are vendor supplied with hardware or software, or are system generated.
Protecting a Password
- Passwords should be treated as confidential University information.
- Passwords should never be written down or posted for reference.
- Passwords should not be included in email messages or other forms of electronic communication.
Sharing a Password
- Sharing or allowing another person to use an individual account password is a violation of this policy unless the person is an information technology professional assisting you with a technical problem. Departmental account passwords should be shared only with appropriately designated departmental personnel.
- Passwords may be shared via phone when necessary. However, users need to beware of “phishing” or other social engineering scams where a user may have his or her password requested over the phone. University information technology personnel (i.e., IT Customer Service Center, ITSO, Technical Liaisons), as a best practice, do not normally request a user’s password over the phone. Password phone communications may be necessary with external information technology vendors.
- Approval by the University's ITSO is required prior to sharing a password with a vendor (approval may be granted on a one-time or continuing basis), and this vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by ITSO).
- It is recommended that passwords be changed after allowing use as permitted in this section.
Reporting a Password Compromise
- Suspected compromises of passwords must be reported immediately to the KU IT Customer Service Center at 4-8080.
- The password in question should be changed immediately.
Responsibilities of Information Technology Security Office
- The ITSO may require a more restrictive policy, such as stronger passwords, in some circumstances.
- The ITSO or its delegates may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, the ITSO will promptly notify the listed contact and require the password be changed.
Exceptions to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Chief Information Officer.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Chief Information Officer
345 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
These definitions apply to these terms as they are used in this document.
Confidential information is a subset of private information that includes information protected by state and/or federal law and information that the University is contractually obligated to protect. The mishandling of confidential information may impact the University through financial and legal sanctions, loss of public confidence, and damage to the University’s reputation. Examples of confidential information include Social Security numbers, bank account information, BPC account numbers, healthcare records, educational records and risk assessments that highlight potential weaknesses in the University’s utility/service infrastructure.
Social engineering is the act of manipulating people into performing actions or divulging confidential information. The term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim.
Updated 9/11/07 to reflect NTS/IT reorganization of responsibilities.
Updated 2/11/08 to clarify PCI/DSS and HIPAA additional requirements.
Updated 10/23/09 to reflect Legislative Post Audit requirements.