The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.
The scope of this policy includes:
- All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any University of Kansas facility;
- All individuals who have access to the University of Kansas network; and
- All systems that store any non-public KU information.
Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help the University limit unauthorized or inappropriate access to various network resources at the University of Kansas, including user-level accounts, web accounts, email accounts, screen saver protection, and local router logins.
A poorly chosen password may result in the compromise of University systems, data, or the network. Therefore, all KU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them. Contractors and vendors with access to University systems shall observe these requirements.
A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources. The Information Technology Security Office may require a more restrictive policy in protection of confidential information or data as defined in the Data Classification and Handling Policy.
Creation of Passwords
Passwords created by users of University systems, and on systems where technology makes it possible, shall conform to the following standards:
Your password must be 8 to 32 characters long and must contain:
- At least one special character (&,#,-,_, etc.)
- At least one uppercase letter
- At least one lowercase letter
- At least one digit (0-9)
These provisions shall be enforced electronically whenever possible.
Passwords must expire after no longer than 210 days. Passwords are not allowed to be repeated within one year.
Protecting a Password
- Passwords must be treated as confidential information.
- Passwords must not be included in email messages or other forms of electronic communication.
Sharing a Password
- KU Online IDs are issued to individuals for their exclusive use, and passwords may not be shared.
- Departmental account passwords must be shared only with appropriately designated departmental personnel.
- Users need to beware of “phishing” or other social engineering scams where a user may have a password requested over the phone. University information technology personnel (i.e., IT Customer Service Center, ITSO, Departmental Technical Staff), as a best practice, do not request a user’s password over the phone.
Reporting a Password Compromise
- Suspected compromises of passwords must be reported immediately to the KU IT Customer Service Center at 4-8080.
- The password in question must be changed immediately.
Exceptions to this Policy shall only be allowed if previously approved by the KU Information Security Officer and this approval is documented and verified by the Chief Information Officer.
Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.
Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.
Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.
Office of the Chief Information Officer
1001 Sunnyside Avenue
Lawrence, KS 66045
01/26/2022: Update contact section.
07/11/2016: Updated to remove gendered pronouns.
09/11/2007: Updated to reflect NTS/IT reorganization of responsibilities.
02/11/2008: Updated to clarify PCI/DSS and HIPAA additional requirements.
10/23/2009: Updated to reflect Legislative Post Audit requirements.
10/07/2014: Updated to reflect current practice and KU IT organizational responsibilities.