Password Policy

Policy number12-09
Responsible officeInformation Technology
Enforcement officialSenior Director of IT Security & Privacy
ClassificationBoard of Trustees-delegated Policy
Category12. Information Technology and Data Security

Statement of policy

This policy establishes minimum standards for the creation and protection of each person’s University password(s).

Summary of contents/major changes

Revised existing Policy; Added key definitions and updated content for relevancy and the forthcoming implementation of two-factor authentication and a change to password duration for faculty and staff.

1. Purpose of Policy

Western Michigan University (WMU) significantly relies on the use of University-provided credentials (Bronco NetID and password) to provide authenticated access to online information technology resources such as email, institutional data, University websites, academic and personal data, cloud computing processes, and other sensitive services. In particular, passwords are the user’s ‘keys’ to gaining access to University information and information systems. Any compromise of these authentication credentials directly impacts the confidentiality, integrity, and availability of University IT systems as well as user information and data. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing WMU IT resources are bound by the requirements as described in this policy, to create and secure their password(s).

2. Stakeholders Most Impacted by the Policy 

This Policy applies to all individuals who use any WMU IT system or resource that requires password authentication. 

This policy also applies to certain non-WMU IT systems accounts, such as cloud computing applications, that provide access to sensitive University information and information systems where the exposure may have significant impact on University operations. This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with WMU user account authentication systems (Kerberos, LDAP, and Active Directory).

3. Key Definitions 

3.1. Bronco NetID is the WMU-generated username and computer account granted to all WMU students, faculty and staff.

3.2. Kerberos is an authentication protocol that allows network users to prove their identity to one another in a secure manner.

3.3. LDAP is the Lightweight Directory Access Protocol and is used to access and manage directory information about an individual or devices.

3.4. Active Directory is a Microsoft technology used to manage computers and other devices on a network.

4. Full Policy Details 

4.1 Individuals must have a unique identifier and password for each University account.  Do not use the same identifier and/or password for multiple University accounts.

4.2 All WMU-owned electronic devices that access restricted/confidential University data must have password protection enabled.

4.3 Usernames and passwords are for the use of the individual to whom they were granted and must not be shared. The only exception to this rule would be WMU departmental accounts where the owner of the account may share the password with their designee(s).

4.4 All vendor-supplied default passwords (i.e. “password” or “admin”) must be changed prior to any application or program's release to a production environment.

4.5 Do not use the same password for WMU accounts as for non-WMU account access, such as, online banking, personal ISP (internet service provider) accounts, Facebook, Twitter, or other social network accounts.

4.6 Requirements for Faculty and Staff

  • 4.6.1 Faculty and staff who do not use two-factor authentication, must change their passwords every six months.
  • 4.6.2 Faculty and staff who participate in two-factor authentication, must change their password once every 365 days.
  • 4.6.3 Faculty and staff should not use web browser password savers. It is more acceptable to use commercial password keeper programs (e.g., LastPass, 1Password, etc.).

4.7 Requirements for Students, emeriti and retirees

  • 4.7.1 Students, emeriti and retiree passwords must be changed at least once every 365 days.
  • 4.7.2 Student employees should follow the student requirements, not the employee requirements

4.8 Implementation

     All system administrators and users of University IT resources are responsible for implementing and maintaining the requirements outlined in this document.

5. Accountability 

The Office of Information Technology will enforce this policy through systematic means and/or through communications with departmental network administrators. Failure to comply may result in discipline, up to and including dismissal, consistent with current collective bargaining agreements, University policies, and applicable law.  

6. Related Policies and Procedures 

6.1.  Reminders to change your password will begin at 42 days from expiration and continue at regular times until the password expires. All messages will include the link to change your password.

6.2.  Active Directory administrator user accounts that have system-level privileges granted through group memberships must have unique passwords for each account(s) held by that user.

6.3.   Help Desk and system administrators must verify the identity of users when assigning or resetting passwords.

See also Establishing a Password Guidelines.

7. Additional Information

Policies and/or standards adopted by a college or administrative unit must be consistent with this policy, but may provide supplemental controls, guidelines, and further restrictions.

Bronco NetID Self Help - https://wmich.edu/helpdesk/selfhelp/bronconetid

8. FAQs

8.1.  Can I use an old password?

Answer: No, passwords may only be used once.

8.2.  What are the requirements?

Answer: See Establishing a password guidelines web page.

8.3.  How long is my password valid?

Answer: Passwords for students and retirees expire one year after they have been created. Passwords for faculty and staff expire every six months unless they have enrolled in two-factor authentication, then it must be changed once per year.

8.4.  What is my password used for?

Answer: Passwords are used for all online services that require an account. Examples being GoWMU, W-Exchange, Elearning, etc.

8.5:  Does this policy apply to Registered Student Organization (RSO) accounts?

Answer: Yes, all conditions of the policy apply to RSO accounts. 

History

Effective date of current versionMarch 1, 2011
Date first adoptedDecember 1, 2010
Revision history
Friday, October 1, 2010 - 17:22 Direction/purpose: Chief information officer, per external audit report

Monday, November 1, 2010 - 17:22 Reviewed: Campus Information Security Committee.

Wednesday, December 1, 2010 - 17:23 Reviewed and edited: Campus Information Security Committee; reviewed: LAN managers group.

Saturday, January 1, 2011 - 17:23 Reviewed and edited: Campus Information Security Committee.

Tuesday, March 1, 2011 - 17:23 Approved: Campus Information Security Committee.

Wednesday, October 2, 2019 - 11:15 Revisions approved: Campus Information Security Committee.
Proposed date of next reviewMarch 1, 2022

Authorization

Certified by

Gregory B. Lozeau 

Senior Director, IT Security & Privacy

At the direction of

Jennifer P. Bott 

Provost and Vice President for Academic Affairs