• Home
  • Policy Library
  • Browse for Policy:
  • Password Policy
Policy
Purpose: 

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.

Applies to: 

The scope of this policy includes:

  1. All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any University of Kansas facility;
  2. All individuals who have access to the University of Kansas network; and
  3. All systems that store any non-public KU information.
Campus: 
Lawrence
Edwards
Parsons
Juniper Gardens
Yoder
Topeka
Policy Statement: 

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access.  Passwords help the University limit unauthorized or inappropriate access to various network resources at the University of Kansas, including user-level accounts, web accounts, email accounts, screen saver protection, and local router logins.

A poorly chosen password may result in the compromise of University systems, data, or the network.  Therefore, all KU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them.  Contractors and vendors with access to University systems shall observe these requirements.

A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources.  The Information Technology Security Office may require a more restrictive policy in protection of confidential information or data as defined in the Data Classification and Handling Policy.

Creation of Passwords

Passwords created by users of University systems, and on systems where technology makes it possible, shall conform to the following standards:

Your password must be 8 to 32 characters long and must contain:

  • At least one special character (&,#,-,_, etc.)
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one digit (0-9)

These provisions shall be enforced electronically whenever possible. 

Changing Passwords

Passwords must expire after no longer than 210 days.  Passwords are not allowed to be repeated within one year.

Protecting a Password

  • Passwords must be treated as confidential information.
  • Passwords must not be included in email messages or other forms of electronic communication.

Sharing a Password

  • KU Online IDs are issued to individuals for their exclusive use, and passwords may not be shared. 
  • Departmental account passwords must be shared only with appropriately designated departmental personnel.
  • Users need to beware of “phishing” or other social engineering scams where a user may have his or her password requested over the phone.  University information technology personnel (i.e., IT Customer Service Center, ITSO, Departmental Technical Staff), as a best practice, do not request a user’s password over the phone. 

Reporting a Password Compromise

  • Suspected compromises of passwords must be reported immediately to the KU IT Customer Service Center at 4-8080.
  • The password in question must be changed immediately.
Exclusions or Special Circumstances: 

Exceptions to this Policy shall only be allowed if previously approved by the KU Information Security Officer and this approval is documented and verified by the Chief Information Officer.

Consequences: 

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

Contact: 

Chief Information Officer
345 Strong Hall
1450 Jayhawk Blvd
Lawrence, KS 66045
(785) 864-4999
kucio@ku.edu

Approved by: 
Provost and Executive Vice Chancellor
Approved on: 
Tuesday, May 24, 2005
Effective on: 
Wednesday, June 1, 2005
Review Cycle: 
Annual (As Needed)
Keywords: 
password, changing, protecting, security, strong passwords, sharing passwords, compromise, PCI, HIPAA
Review, Approval & Change History: 

Updated 9/11/07 to reflect NTS/IT reorganization of responsibilities.
Updated 2/11/08 to clarify PCI/DSS and HIPAA additional requirements.
Updated 10/23/09 to reflect Legislative Post Audit requirements.
Updated 10/7/2014 to reflect current practice and KU IT organizational responsibilities.

Information Access & Technology Categories: 
Privacy & Security

Policy Library Search
Can't Find What You're Looking For?
One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
1 of 9 public universities with outstanding study abroad programs.
—U.S. News & World Report
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
$260.5 million in externally funded research expenditures
23rd nationwide for service to veterans —"Best for Vets," Military Times