Password Policy
This policy establishes a standard for creation of strong passwords, the protection of those passwords and the frequency of change.
-
1.0 Overview
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords and the frequency of change. Passwords are the most frequently utilized form of authentication for accessing a computing resource. Due to the use of weak passwords, the proliferation of automated password-cracking programs, and the activity of malicious hackers and spammers, they are very often also the weakest link in securing data.
A poorly chosen password may result in unauthorized access and/or exploitation of Champlain College resources, possibly including the confidential data of students, alumni, applicants, faculty and staff. All users, including contractors and vendors, with access to Champlain College systems are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
-
2.0 Scope
This policy applies to all users of computing resources owned or managed by Champlain College. Computing resources include all licensed or managed hardware and software (including telephone equipment) owned by the College, and use of the College network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
Specific users bound by this policy include:
- Champlain College students, including undergraduate, graduate and online students and alumni
- Faculty, including full-time, part-time and retired faculty members
- Staff, including full-time, part-time and temporary workers
- Guests
- AhMembers of 3rd-party organizations given access to Champlain systems, such as vendors, contractors or consultants
-
3.0 Password Policy
All passwords for Champlain College systems and applications (e.g., email, web, desktop computer, etc.) should be strong passwords and follow the standards listed below. In general, a password’s strength will increase with length, complexity and frequency of changes.
Use of multi-factor authentication is strongly encouraged when available (such as with Google Mail) and may be required when accessing high-risk systems, such as those containing restricted or confidential information.
3.1 Password Creation
All passwords must meet the following minimum standards, except where technically infeasible. Longer passwords are inherently more secure because it takes hackers longer to guess them when employing a brute force method. So make your password longer and some of the complexity requirements can be reduced. This has the added bonus of making it easier to type your password on a mobile device.
Number of characters Requirement 8 – 11 Requires mixed case letters, numbers and symbols 12 – 15 Requires mixed case letters and numbers 16 – 19 Requires mixed case letters 20+ Any characters you like! Here are a couple of suggestions for making long passwords:
- Select four or more random words to make a 20+ character password:
- horror earth leap natural (25 characters including spaces)
- Transform a memorable phrase such as “What would an ideal College look like? A lot like this!” into a password such as this: “WwaiClL?AlLt!”
- Please don’t use these suggestions for your password!
- To help prevent identity theft, personal or fiscally useful information such as Social Security or credit card numbers must never be used as a user ID or a password.
3.2 Password Management
- All passwords are to be treated as Confidential information as defined in Champlain College’s Data Classification Policy (to be released in 2018) and should therefore never be written down or stored electronically unless properly encrypted.
- Only use the “Remember Password” feature of a software application, if you are assured that the feature stores your credentials in a secure, encrypted fashion. Modern web browsers offer minimal password managers that encrypt your password with your sign-in credentials. For this reason, you are strongly advised to never store your password if you are on a public kiosk, unencrypted smartphone, unencrypted laptop or public lab computer.
- Unencrypted passwords should never be inserted into email messages or other forms of electronic communication. Communicate passwords to people verbally over the phone or in person.
- Do not use your Champlain College password for any other systems external to Champlain (e.g., 3rd-party vendor sites, personal Web accounts, etc.). Should those systems become compromised, someone could use those credentials to access your Champlain account.
- It is recommended that passwords be changed at least every 12 months, unless a shorter change interval is mandated (such as computers subject to the PCI Data Security Standard (those that take credit cards), which require passwords to be changed every 90 days).
- Individual passwords must not be shared with anyone, including administrative assistants, IS personnel or family members. Necessary exceptions may be allowed with the written consent of the Chief Information Officer (CIO). The CIO will review the request and, if in agreement, then request approval from either the President or the Provost of the College. Examples of such exceptions are as follows:
- Employees on short-term or extended leave that require contact with faculty, staff, students, etc., via network services and have limited to no access to those services. Upon return, the password should be changed so that only the primary account holder has access to the account.
- Job positions that oversee critical monitoring services (for example, water monitoring, physical security workstations, heating/cooling systems, etc.)
- The use of shared accounts should be avoided whenever possible.
- Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person ensures that only appropriately authorized employees have access to the passwords.
- Any user suspecting that their password may have been compromised must immediately change the password and report the incident to the Champ Support Help Desk.
- Bypassing password security to access a Champlain College system is strictly forbidden.
- Champlain College may perform password cracking or guessing on a periodic or random basis. If a password is guessed or cracked during one of these scans, the password owner will be notified and be required to change it immediately.
- Password cracking or guessing by unauthorized users is strictly forbidden, except on lab systems used for classes that explicitly teach password cracking.
3.3 Changing your Password
To change your password, use your web browser to go to welcome.champlain.edu.
- Select four or more random words to make a 20+ character password:
-
4.0 Violations
Any individual found to be in violation of this policy shall be subject to appropriate disciplinary action, up to and including termination of employment or expulsion from enrollment at the College. Individuals are also subject to federal, state and local laws governing many interactions that occur on the Internet. These policies and laws are subject to change as state and federal laws develop and change.