Information Technology Services

Password Security

Passwords are often the critical key to accessing data and computing resources. Where other attempts at security have failed; the password is often the last barrier to unauthorized access. As such, passwords shall be maintained by each user to be an effective prevention mechanism against unauthorized access. For some departments this is automatic, while others must remember to make a password change based on the calendar. The following standards apply.

• Passwords to any computing resource shall only be issued to authorized users.
• Password recipients are responsible for the integrity of their password and shall not distribute it to unauthorized users.
• Every account must have a password.


• Passwords must have a minimum of six (6) characters, and include three of four categories for complexity (combination of upper case, lower case, numbers, and special characters), to the extent allowed by the platform.
• Passwords must be changed every 90 days.
• A screen saver with a lock feature must be active, and the lock feature must activate upon a maximum of 15 minutes of inactivity.
• Passwords may not be shared or given to others
• Passwords must not be posted or displayed.
• Applications and systems must be set up where possible so that passwords may not be changed more frequently than every seven days.

Secure Password Guidelines

Dos

• Do use a combination of numbers and letters with a mixture of upper and lower case.
• Do use a password with non-alphabetic characters, e.g., digits or punctuation.
• Do use a password that is easy to remember, so you don't have to write it down.
• Do use a password that you can type quickly without having to look at the keyboard.
• Do use a password that is at least six characters.
• Do change them frequently (every 3 months is required). This raises the security level of the passwords.
• Use a phrase or even a sentence that you can remember. For example I love to eat ice cream can become !Lt3Ic. The I becomes !, the e is 3, and you have upper and lower case. This password meets all the criteria for a password; six characters, upper and lower case letters, special characters, and numbers.

• Don't use your first or last name in any form.
• Don't use your spouse's or child's name.
• Don't use other information easily obtained about you. This includes your favorite food, movie, your birthday, a family member's birthday, license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street you live on, etc.
• Don't use a password with just numbers or all identical letters.
• Don't use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.

• Do not use your Georgia Southern password for personal accounts (e.g. AOL account, personal e-mail account, any personal web accounts, etc.)
• Do not use the ?remember my password? feature in your e-mail application or when logging in to a web service.
• Do not share your password with anyone.
• Do not put your password in any electronic form of communication (this can include e-mail, IM, chat rooms, etc.)
• Passwords should be memorized and not written down or stored on-line. If you must write down a password it must be stored in a secure location allowing only authorized access, such as a locked filing cabinet or safe.