Administration and Finance
Information Technology Services
Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / firstname.lastname@example.org
Friday, April 30, 2010
Monday, February 17, 2020
The purpose of this policy is to establish a standard for the creation/reset of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all SF State staff, faculty, student employees and community members (including but not limited to auxiliary personnel and emeritus).
Purpose & Scope
Passwords are an important aspect of computer systems security. They are typically the first line of protection for user accounts. A poorly chosen password may result in a serious breach in network and systems security resulting in loss or exposure of SF State Confidential Data and system compromise.
The purpose of this policy is to establish a standard for the creation/reset of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all SF State staff, faculty, student employees and community members (including but not limited to auxillary personel and emeritus).
Policy & Appropriate Use
Individual Account Passwords
- SF State authentication credentials must not be shared or disclosed to another person.
- All SF State employees, student employees and community member passwords must be reset after a maximum of 180 days, unless access to the system/data is protected with two-factor authentication (2FA). Users that have been enrolled in campus 2FA, or another approved multi-factor authentication process, must reset their passwords after a maximum of 365 days.
- Account passwords should not be included in email messages or other forms of electronic communication unless encrypted.
- Temporary and one-time passwords must meet complexity rules and not be predictable.
- All passwords are Level 1 data and must be handled in accordance with the Confidential Data Policy.
Users must immediately report any incident or suspected compromised password. Information on type of security incidents and where to report can be found at Reporting a Security Incident or Vulnerability page.
Guest Account Passwords
- May only be used for pre-approved low-risk activities.
- May be emailed.
- Must expire within 7 days.
- May only be used by the intended participants/users.
Privileged Account Passwords
- Privileged account passwords must be different from non-privileged account passwords held by that user.
- All privileged account passwords are categorized as Level 1 data and must be handled in accordance with the Confidential Data Policy.
Default Account Passwords
- Default passwords delivered from vendors must be changed before being deployed or upon initial access to the system (e.g. the first time the user logs in).
SF State Password Standards
- Must be a minimum of twelve characters.
- Must not contain the first name, last name, or account name.
- Must not be the same as the last 24 passwords used.
- Must contain three of the five categories:
- Upper case characters
- Lower case characters
- Special characters
- Non English characters
Password Protection Standards
- Do not use the same password for SF State accounts as for non-SF State accounts (e.g., personal email, banking, insurance, etc.).
- Do not store passwords electronically unless encrypted. Passwords recorded on paper must be physically secured.
- Computers should automatically lock after a maximum of 15 minutes of inactivity and require a password to unlock.
- Privileged accounts should never be used on public machines.
Responsibility for implementing this Practice Directive will rest with Information Technology Services (ITS) and Information Technology (IT) departments across campus. Submit any apparent violation of Password Policy to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to email@example.com.
Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.