Security, Policies & Guidelines

NMSU Password Maintenance (Revised 15-JAN-2005)

 

Rationale

Password maintenance is the most important activity a user can make in securing institutional data.  The regular changing of passwords helps prevent the accidental exposure of a password to others.  Since the password is the final token used to access sensitive data, it should be guarded from inappropriate use.

Password Selection

A password should be selected in such a way that the password cannot be guessed or reverse engineered.  Passwords should not be dictionary words, names of people, etc.  Passwords should be selected using accepted industry standard techniques.  At a minimum the password should have at least 6 characters, be a mixture of characters and numbers, and should not be guessable.  A password should be changed every 120 days and not reused.

All systems which support password aging and password selection are required to have these features enabled.

Confidentiality of passwords

User passwords should never be shared with any other person including a supervisor (this excludes system passwords which are used by technical staff to maintain a server).  Requests for employees to share their password with others should be reported to the ICT Security Officer. Sharing of user passwords is prohibited.