Title: Password Policy
Effective Date: November 2019
Issuing Authority: Information Technology
Program Coordinator: Chief Information Officer, Libraries and IT
Last Updated: April 2019
Purpose of Policy
Account passwords are the first line of defense for St. Olaf College’s data and information systems. The purpose of this policy is to define password requirements for the College’s information system accounts to keep user and institutional data confidential and information technology systems secure.
Scope
This policy applies to all account passwords used to conduct College business.
Policy
Passwords should be difficult to manually guess and difficult to crack using automated methods. Password requirements should be defined in consideration of industry best practice.
Standard
Passwords will meet the following requirements:
- Passwords must be a minimum of 10 characters.
- Passwords cannot be reused.
- Passwords must pass an industry-standard strength checker.
Passwords will have no expiration. Passwords will only require changing if there is a reason to believe the password has been exposed or compromised.
All users must keep their account password confidential and not share it with others. Users should never log someone else in to their account or use another person’s username and password. Passwords are the user’s responsibility and they will be held accountable for activities within their account and activities associated with their username and password.
Two-factor will be required for all College user accounts.
Addendum
It is not possible to enforce these requirements in all cases (for example, cloud services with accounts that are not managed by College IT staff). In these cases, as much as possible, passwords should be a minimum of 10 characters, and the same password should not be used for multiple services.