Skip to main content

6.05 AUTHENTICATION AND PASSWORDS

Effective: August 15, 2024

Purpose: A user ID and password is a key granting access to various systems and applications and the information assets they protect. As the University is committed to protecting the confidentiality, integrity, and availability of the information it owns or controls, passwords must be created and protected in a manner that minimizes the likelihood of unauthorized access to such assets.

Scope: The policy applies to any person granted access to an University information asset that requires authentication.

Responsible Office: Information Technology

Policy Statement: It is the responsibility of account holders:

  • To create a password for each application with a password not centrally managed by the University,
  • To not share passwords or other factors,
  • To protect passwords and other factors from unauthorized use,
  • To change passwords at intervals specified by the policy or as required by the application, and
  • To immediately notify the IT Help Desk if they believe their password or other factor has been compromised.

It is the responsibility of System Administrators to keep the system administrator password secure, yet available in case of emergency. IT System Administrators will refer to the System Password Procedures for systems managed by IT.

The Information Security Officer (ISO) is responsible for monitoring and reporting compliance with this policy.

Authentication into University information assets by any person will require, in addition to the user’s identification, passwords created by that person meeting the guidelines as determined by Information Technology procedures.

Some information technology systems may require authenticated accounts to perform certain functions.  The passwords created for these accounts shall have the same password requirements except that the password may not have a lifespan that exceeds 365 days.

Default account or device passwords that are included in many applications and internet connected devices must be changed immediately upon first use as many default passwords are published and readily available to malicious actors.

In addition to passwords, University information systems may require a second factor prior to granting access. This may be a text message, a phone call, a smartphone application push notification, or a hardware token or security key. These factors are intended to protect against a malicious actor obtaining a user’s password. These factors should also be protected and may require the user to enter a secondary code or confirm a notification.

The President or designee must approve any exceptions to this policy. Any exceptions must be documented and a copy maintained by the ISO.

Definitions: All words and phrases shall be interpreted utilizing their plain meanings unless otherwise defined in another University or Board of Regents policy or by statute or regulation.

Procedures: All procedures linked and related to the policies above shall have the full force and effect of policy if said procedures have first been properly approved by the University’s administrator in charge of Information Technology.

[Information Technology procedures - coming soon]

Related Policy Information: [coming soon]

History and Revisions

Adoption Date:
04/06/2007 [FSB 06025 passed by Faculty Senate on 04/03/2007, approved by President, and included in UPM as Policy 3J.09]
Revision Date:
10/13/2009 [SB 09007 passed by Faculty Senate 10/06/2009 and approved by President]
10/02/2013 [Policy updated]
04/17/2017 [FSB 16009 passed by Faculty Senate on 04/04/2017 and approved by President]
11/05/2019 [Policy updated by IS]
02/05/2020 [Policy approved by ISAC and removed from Faculty Senate on 02/18/2020]
11/19/2020 [Policy revised and approved by ISAC]
10/14/2021 [Policy revised and approved by ISAC]
08/15/2024 [Policy format revised as part of UPM Revision]