Password Policy

Overview

Assigning unique user logins and requiring password protection is one of the primary safeguards employed to restrict access to the Lewis & Clark network and the data stored within it to only authorized users. If a password is compromised, access to information systems may be obtained by an unauthorized individual, either inadvertently or maliciously. Individuals with Lewis & Clark user accounts are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy in order to ensure passwords are kept confidential and are designed to be complex and difficult to breach. The parameters in this policy are designed following recommendations of the US Department of Commerce, National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

Scope

All individuals provided with user accounts for accessing Lewis & Clark information systems. All information systems used to create, store, or manage College data.

Policy

Individual Responsibility

Individuals are responsible for keeping passwords secure and confidential. As such, the following principles must be adhered to for creating and safeguarding passwords:

• College passwords should never be shared with another individual for any reason or in any manner not consistent with this policy.
• Employees should never ask anyone for their password.
• College passwords should not be written down or transmitted in clear text such as via email or text messages. Where it is considered necessary to store passwords off-line, passwords must be protected by some other level of security (e.g., physical security mechanism such as a locked cabinet)
• College passwords should not be stored in a web browser’s password manager. Most web browsers offer to save your passwords for you as you type them. Some do so securely, others may not. Generally, we recommend disabling this feature in your web browsers, and using a separate password manager instead. A separate password manager will have extensions available for modern web browsers, allowing for easy and secure filling of credentials into the browser of your choice.
• Individuals must never leave themselves logged into an application or system on a shared workstation or when stepping away from their workstation.
• Passwords for College systems should be unique and different from passwords used for other services (e.g., personal email accounts, banking, etc).

Password Requirements

General Users

(All members of the LC Community issued user accounts including students, faculty, staff, volunteers, vendors , including shared and department accounts and alumni or emeriti accounts as applicable):

• Must be between 15 and 19 characters in length
• Must contain at least 1 of the following special characters: !@#$%^&*()_+|=`~
• Cannot reuse previous 6 passwords
• Cannot contain common password values or phrases
• Must not include passwords known to have been exposed in a cyber breach

Administrative Users

(Campus application administrators, IT system and application administrators):

• Must be a minimum of 15 characters in length
• Must contain at least 1 of the following special characters: !@#$%^&*()_+|=`~
• Cannot reuse previous 6 passwords
• Cannot contain common password values or phrases
• Must not contain dictionary words
• Must not contain repetitive characters (e.g. 999 or aaa)
• Must not contain sequential characters (e.g. 1234 or abcd)
• Must not contain context-specific words (e.g. username)
• Must not include passwords known to have been exposed in a cyber breach

Password requirements should be technically enforced on all college systems where possible. In systems that do not allow enforcement of these parameters users are responsible to ensure their passwords meet these requirements.

Password Expiration

All members of the Lewis & Clark community will be required to change their password at least once every 180 days.

The Information Security Office reserves the right to reset a user’s password in the event a compromise is suspected or reported.