91¿´Æ¬Íø

ITS Policies & Procedures

Password Policy

Policy #: LFC.ITS.10
Date: 11/14/2023
Author: LFC ITS
Version: 2.1
Status: Approved

OVERVIEW

91¿´Æ¬Íø Information Technology Services (ITS) is charged with maintaining a robust and secure computing and network infrastructure in support of the College’s academic mission. An important part of maintaining a safe and reliable environment is ensuring all who have named account access to College resources follow basic security best practices including the changing of passwords on a regular basis. This policy outlines the frequency and minimum requirements for those password rotations.
Furthermore, it is important that all account holders view their account passwords as keys granting them named access to protected College computing resources, which contain sensitive data and are subject to mandates placed on the College by various regulatory acts (GLBA, FERPA, HIPAA, PIPA.) As such, all activity on campus e-resources are governed by and subject to the 91¿´Æ¬Íø Acceptable Use of Electronic Resources Policy.

1. PURPOSE

The specific goals in publishing this Policy are to:
  • Establish a schedule for community members' password rotations;
  • Identify College requirements for acceptably complex passwords;
  • Detail how passwords should not be "reused" or "recycled";
  • Outline other expectations in regard to handling and protecting passwords;

2. SCOPE

This Policy applies to all members of the 91¿´Æ¬Íø community who use College systems, servers, Software-as-a-Service platforms, etc. (henceforth "e-resources") including faculty, staff, students, alumni, contracted and temporary workers, hired consultants, interns, student employees, as well as authorized guests who are extended access (henceforth "Users.")

3. POLICIES

3.1 Password Rotation: All users must change their passwords no less than once every 365 days. Password expiration shall occur automatically for each individual user 365 days after their previous password change (if not proactively changed by the user in advance of that deadline.) Passwords must also be rotated immediately whenever there is evidence of compromise (example: unauthorized login attempts which result in MFA challenges, illustrating that the adversary knows the user's password.)
3.2 Password Sharing Prohibited: Under no circumstances should users share their password(s) to College e-resources with others. If ITS has any reason to believe an individual’s password has been exposed to a person outside of ITS for any reason, ITS staff must require the user to change that password immediately.
3.3 Password Recycling Prohibited: Under no circumstances should users reuse their 91¿´Æ¬Íø password(s) with other websites, applications, or services, even if said sites, applications, or services are contracted by or used in relation to a user's role with the College. All passwords must be sufficiently long, strong, and unique to ensure the security of College e-resources.
3.4 Password Requirements: All 91¿´Æ¬Íø passwords must be:
  • Minimum 12-characters in length. A length of 15 or more characters is strongly recommended.
  • Must contain at least one character from three of the following four categories:
    • Uppercase letters (A-Z)
    • Lowercase letters (a-z)
    • Numbers (0-9)
    • Non-alphanumeric characters (!@#$%^&[]{}_+-*/=\|`~:;,<>./?)
  • Must be at least three days old before being eligible for another rotation.
  • Must not be the same as any of user's previous ten passwords.
  • May not contain three or more consecutive characters from the user's User ID (username.)

4. ADDITIONAL GUIDANCE

4.1 Users are encouraged to adopt passphrases: Passphrases primarily differ from passwords in their length, as passphrases often start at 20-24 characters. Being this long makes brute-force attempts to calculate them impossible with computing systems expected to be available for the next decade or more. Additionally, they are easier to remember than sufficiently complex and random passwords. A passphrase might be as simple as four random dictionary words (such as "Correct Horse Battery Staple") but is strengthened by:
  • Continuing to add capitalization (ideally a random letter somewhere, not the initial character)
  • Continuing to include numbers and symbols
  • Purposefully misspelling one of the words
Example passphrases might be:
  • ranWAY2much,kneesACHE
  • thoze_mice8ALLmyBrie
  • DyeHair#PERPLE_2sday
4.2 Password Reset Link: Users may change their passwords at https://lakeforest.edu/password.
4.3 Obtaining assistance:
Any questions regarding the password policy or password maintenance should be directed to the ITS Service Desk at extension 5544 or via email at servicedesk@lakeforest.edu.

RELATED POLICIES:

Document Control:

Entry#: Date Version Notes
1 2014 1.0 Original policy, approved by LITS Advisory Committee
2 11/21/2022 2.0 Rewritten. Reviewed by LITS Advisory Committee
3 11/14/2023 2.1 Updated, submitted for review
4 12/07/2023 2.1 Reviewed and approved by LITS Advisory Committee
5 01/11/2024 2.1 Reviewed and approved by the Senior Leadership Team