ACCOUNT PASSWORD & SECURITY POLICY

The security of Smith College user accounts has become critically important with the increasing growth of on-line information, services and resources that rely on centrally issued accounts for authentication and authorization.  It is the responsibility of both the institution and the individual user to safeguard the security and integrity of each person's identity, and guard against unauthorized access and use of their account.  

The password for an individual's account is the sole key for protecting that account.  It proves their identity, authorizes them to access and control important personal and institutional information, grants rights to licensed resources, and allows others to trust the identity of the person linked to their assigned user account.   Therefore, the strength and privacy of that password is of paramount importance.

This policy specifies certain minimum components for a strong password, and requirements for maintaining the privacy of a user account password.  As part of this policy, ITS will create and maintain information for users on recommendations and resources for password strength and management best practices.

Password Composition

The following password security parameters will be implemented as baseline requirements for Smith’s primary user authentication system. 

Password parameter details:

• Password expiration: none, but periodic user-initiated password changes are strongly recommended
  
  
• Password history: none (password re-use is permitted)
  
  
• Minimum password length: 14 characters, any combination of alphabetic, numeric, and/or special
  
  
• Maximum password length: 64 characters
  
  
• Consecutively repeating characters: any number permitted
  
  
• Lower and upper case characters: any combination permitted
  
  
• Numeric digits: none required
  
  
• Special characters: none required; any character that can be entered using a standard English QWERTY keyboard, with or without the Shift key, permitted
  
  
• Exclusions: May not include the username, first name, or last name of the account owner
  
  
• Failed login attempts: Account lockout after 6 failed login attempts
  
  
• Failed login lockout: Block further login attempts for 5 minutes

Recommendation: Although not expressly prohibited in this policy, the following characters may cause problems for some Banner services; users are urged to avoid these characters when creating a strong password:

           @  &  "  (  )  ,  <  >  `  ;  = 

Password Management

• Documented passwords must be stored securely (encrypted or in a locked container)
  
  
• Never share your password with anyone!

Unauthorized Use

Any unauthorized acquisition or use of identity authentication or authorization credentials is specifically prohibited.  Failure to comply could result in judicial board review for students, or reprimand or possible termination for employees.

Exceptions to this Policy

This policy applies to general individual user accounts only.  Non-standard accounts, such as temporary conference guest accounts or special group accounts for a department or class, may have password parameter settings that differ from this policy, as best fit the particular needs of these accounts. 

Select individual accounts such as administrative users who have access to classified information may be required to implement stricter password requirements than those specified in this policy.

Approved by the TSC, November 2012

Back to top>