Password Policy

Policy number12-09
Responsible officeInformation Technology
ClassificationBoard of Trustees-delegated Policy
Category12. Information Technology and Data Security

Statement of policy

Policy for establishing and using passwords at WMU.

Purpose

Western Michigan University significantly relies on the use of University provided credentials (Bronco NetID and password) to provide access authentication to online information technology resources such as email, institutional data, University websites, academic and personal data, cloud computing processes, and other sensitive services. In particular, passwords are the user’s 'keys' to gain access to University information and information systems. A compromise of these authentication credentials directly impacts the confidentiality, integrity, and availability of IT systems, and University as well as user information. This policy establishes minimum standards for the creation and protection of each person’s University password(s). All users accessing WMU IT resources are bound by the requirements as described in this policy, to create and secure their password(s).

Scope

This policy applies to all WMU IT systems and resources that require password authentication. All system administrators and users of University IT resources are responsible for implementing and maintaining the requirements outlined in this document. Policies and/or standards adopted by a college or administrative unit must be consistent with this policy, but may provide supplemental controls, guidelines, and further restrictions.

This policy also applies to certain non-WMU IT systems accounts, such as cloud computing applications, that provide access to sensitive University information and information systems where the exposure may have significant impact on University operations. Do not use the same password for WMU accounts as for other non-WMU access, such as, online banking, personal ISP accounts, Facebook, MySpace, Twitter, or other social network accounts. This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with WMU user account authentication systems (Kerberos, LDAP, and Active Directory)

Policy statements

Individuals must have a unique identifier and password for each University account.

  • All WMU owned electronic devices that access confidential/restricted University data must have password protection enabled.
  • Passwords must be stored in irreversible encryption format whenever possible.
  • Passwords must contain at least eight (8) characters, in combination as follows:
  • At least one upper case alphabetic character.
  • At least one lower case alphabetic character.
  • At least one numeric character (1, 2, 3, etc.).
  • At least one punctuation or symbol character (@, $, #, etc.).
  • Do not use ‘ “ or blank spaces as they may not work with all University systems.
  • Faculty and staff passwords must be changed at least once every six months and students, emeriti and retiree passwords must be changed at least once every 365 days. Reminders to change your password will begin at 42 days from expiration and continue at regular times until the password expires. All will include the link to changing your password.
  • Administrator user accounts that have system-level privileges granted through group memberships must have unique passwords for each account(s) held by that user.
  • Usernames and passwords are for the use of the individual to whom they were granted and must not be shared. The only exception to this rule would be WMU departmental accounts where the owner of the account may share the password with their designee.
  • Help Desk and system administrators must verify the identity of users when assigning or resetting passwords.
  • All vendor supplied default passwords must be changed prior to any application or program's implementation to a production environment.

See also Establishing a password guidelines.

Enforcement

The Office of Information Technology has the responsibility to enforce this policy through systematic means and/or departmental network administrators, IT system administrators, and system users. All WMU employees are responsible for complying with this policy. Failure to comply may result in disciplinary sanctions consistent with current collective bargaining agreements, University policies, and applicable law.

Note

This policy may be amended at any time by the chief information officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the information technology public website.

History

Effective date of current versionMarch 1, 2011
Date first adoptedDecember 1, 2010
Revision history
Friday, October 1, 2010 - 17:22 Direction/purpose: Chief information officer, per external audit report

Monday, November 1, 2010 - 17:22 Reviewed: Campus Information Security Committee.

Wednesday, December 1, 2010 - 17:23 Reviewed and edited: Campus Information Security Committee; reviewed: LAN managers group.

Saturday, January 1, 2011 - 17:23 Reviewed and edited: Campus Information Security Committee.

Tuesday, March 1, 2011 - 17:23 Approved: Campus Information Security Committee.
Proposed date of next reviewMarch 1, 2019