Password policy

The purpose of this policy is to establish standards for the creation of strong passwords, the protection of those passwords, and the resetting of passwords in an effort to safeguard access to institutional data by authorized data users.

It is the policy of Lynn University that members of the university community who have been issued authentication credentials for an account on university information systems adhere to the password controls and procedures defined by the university. At no time may authorized data users grant access to the user’s account by providing someone else their password.

Data users - individuals, including, but not limited to, employees, temporary employees, faculty, students, alumni, trustees, campus visitors, contractors, vendors, consultants and their related personnel authorized by the university to access information systems that collect, process, maintain, use, share, disseminate or dispose of institutional data.

Information system(s) - a set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term system is used to represent any method that can process, store, or transmit institutional data.

Institutional data - any information collected, manipulated, stored, reported, or presented in any format, on any medium, at any location by any unit, program or office of the university in support of Lynn University’s mission. There are three types of institutional data: high risk; medium risk; and low risk. See the data classification and data governance policy for additional information.

Password maintenance is the most important activity a user can participate in to secure institutional data. Passwords help protect against misuse by seeking to restrict use of university systems and networks to authorized users. Each authorized user of the university is assigned a unique password that is to be protected by that individual and not shared with others. The same username and password combination shall not be reused for any third party services.

The university has implemented a password maintenance policy that requires authorized users to maintain a password in accordance with a minimum acceptable password standard that is aligned with the NIST 800-63 password guidelines. All employees are required to use two-factor authentication for off campus access to select resources. The password should be changed at the pleasure of the employee or when required by Information Technology due to the accidental exposure of the password to other users or parties.

Data users are required to maintain passwords in accordance with a minimum acceptable password standard. The password must be changed on a regular basis to prevent the accidental exposure of a password to others.

Password standards

Passwords are an important aspect of information technology system security. A poorly chosen password may result in the compromise of a university information system. Accordingly, the university has established the following standards regarding the use of passwords to access a university information systems:

1. Passwords should never be written down.
2. Passwords belong to individuals and must never be shared with others.
3. Passwords are required to be changed as scheduled by Information Technology (IT), or immediately if compromised.
4. To mitigate the possibility of someone cracking a password, IT recommends that the guidelines listed at https://kb.lynn.edu/display/IT... be followed.
5. Passwords must be encrypted in transit:
   1. In compliance with PCI requirements, decryption keys will be prevented from being tied to authorized user accounts, rather than file- or column-level database encryption.

In addition to the above, where feasible, IT will configure information systems and software to adhere to the following standards:

1. Passwords must be masked upon entry (e.g., displaying asterisks or dots when a user types in a password) and not displayed in clear text.
2. System software must enforce the changing of passwords and the minimum length.
3. System software must prohibit data users from submitting a new password that is the same as any of the last four (2) passwords the user has used;
4. System software must disable access when more than three (3) consecutive invalid passwords are given within a fifteen (15) minute timeframe. Lockout time will typically be set at a minimum of thirty (30) minutes. See the information system access control policy for additional information.

To learn more about this policy or the supporting procedures, please contact  Information Technology.