NMU Password Policy

DIVISION:  Finance and Administration
UNIT:  Administrative Information Technology
APPROVED: 04/21/2010
APPLICABILITY:  Northern Michigan University students, faculty and staff

PURPOSE

The University is committed to providing a secure information technology environment and protecting the data of its students, faculty and staff.  The purpose of this policy is to establish standards for creating and maintaining strong network and database passwords and the frequency for changing them.

The Information Technology department has taken steps to ensure the security of its systems by using authentication, encryption, and other generally accepted security standards.  To access secured systems, users are required to be authenticated i.e., to supply a password that only they know, verifying that they are who they say they are.  Encryption is done to prevent password sniffing, the practice of capturing someone’s password as they are logging into a system.  At NMU, passwords are encrypted as they travel across the network and when they are stored in a file.   As a further means of protecting data, passwords must be of sufficient complexity and length to prevent password cracking, methods hackers use to gain access to a network or system, often by using software or knowledge of passwords on outside systems to guess passwords. 

POLICY:

Passwords are used to access systems at Northern Michigan University including My.NMU, email and the university’s main administrative system, Banner.   All users of University network and database systems have a responsibility to comply with policy, guidelines, and ethical standards.  Users must never give or share their password with others.  Users must also understand that the IT department will never request password information over the telephone, by e-mail or in person.  In addition, no NMU employee, faculty, staff or student should request any other person’s password by telephone, e-mail or in person. 

When creating or changing a network or database password the following rules will be enforced to ensure the proper level of password security: 

  • Password length
    • Passwrds must be a minimum of eight characters in length but could be up to 16 characters.
  • Password composition:
    • Passwords must contain a mixture of at least one number, one special character and letters.   
    • The first character of the password must be a letter of the alphabet.

    • Special characters are defined as:  ~!%^*_+-{}|[]\:?./
    • Spaces are not allowed in the password.
    • Password characters can be either upper or lower case.
  • Password aging:
    • Passwords will be expired and required to be changed every 180 days.  Users will be notified that they will be required to change their password 15 days before the expiration date.   
  • Password reuse:
    • Passwords will not be able to be reused for two years.  Password history will be kept so this rule can be enforced.
  • University versus personal passwords:
    • Passwords for University systems should be different from the passwords used for other internal systems such as a departmental server and outside systems such as bank, credit card, or other personal-use passwords. 

REFERENCES

INITIATING DEPARTMENT: Administrative Information Technology,  (906) 227-2410

Approved by the NMU President’s Council
April 21, 2010