Policy 7002 — Password Policy and Procedures | Mount Allison

Policy 7002 — Password Policy and Procedures

Policy section:
Section 7000-7099 Computing Services
Policy number:
Password Policy and Procedures
Approved By:
Approved date:
April 14, 2000
Effective date:
April 14, 2000
February 1, 2017
Administered by:
Director of Computing Services

1. Purpose

The purpose of this policy is to protect data on University computer and information-storage systems by ensuring the creation and protection of strong passwords.

2. Scope

This policy applies to all individuals using any University computer system or other data storage device used to store or process university information.

3. Authority for Password Requirements

Password requirements will be set to ensure a balance between complexity and usability.  The Director of Computing Services is responsible for recommending and the Vice-President, Finance and Administration is responsible for approving password requirements.

4. Password Requirements

Passwords must have a minimum length of 14 characters.

5. Password Requirement Guidelines

Individuals are responsible for creating their own passwords that are compliant with the requirements set out in section 4.
The following is a guide for creating passwords:

  • a. Include characters other than lowercase letters in a password, such as uppercase letters, digits, and punctuation to improve the security of a password, if not used in a predictable pattern.
  • b. Do not use a word modified slightly with a single number added at the end or with well-known substitutions such as a zero used in place   of the letter 'O'. These are easily predictable patterns.
  • c. Do not use the same password for University systems as is used for personal accounts or other organizations.
  • d. Do not use words that appear in a dictionary.
  • e. Do not include your name, the names of family members or pets, or other easily obtainable personal information in a password.
  • f. Do not use a word spelled backwards.
  • g. Do not use a combination of characters that someone watching could easily recognize as the password is entered.
  • h. When changing passwords, the new password should be different from the old one.

6. Password Protection

  • Passwords must not be recorded on paper or online.
  • Passwords must not be recorded in a visible location in a workspace (e.g. a sticky note attached to a monitor or keyboard).
  • Passwords must not be shared with anyone.
  • Passwords must not be sent by e-mail.

7. Other Considerations

Administrator passwords should deserve additional attention. Administrator account access should only be granted to those requiring such access to perform their work.
Administrator accounts should not be shared.

8. Review

This policy and procedure shall be reviewed at least every three years and either amended or confirmed.