George Fox University | Offices and Services | Institutional Technology | Password Policy

Password Policy

Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of George Fox University's entire network. As such, all GFU employees (including contractors and vendors with access to GFU systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Purpose

This Policy describes the University's requirements for acceptable password selection and maintenance. Its purpose is to reduce overall risk to the institution by helping computer users reasonably avoid security and privacy risks that result from weak password choices and to encourage attention to password secrecy.

It is the responsibility of everyone to keep their passwords secret. Passwords are considered confidential information and shall not be shared or transferred to others.

Passwords should not be written down. Where it is considered necessary to store passwords off-line, passwords shall be protected by some other level of security (e.g., Physical Security mechanism such as a locked safe or cabinet). Do not use the "Remember Password" feature of applications (e.g., Internet Explorer, Eudora, Outlook, Netscape Messenger).

Where technically and operationally feasible, passwords shall not be electronically stored, cached, or transmitted in clear text.

Scope

This Policy applies to all users of GFU owned and maintained systems and GFU provided IT services and resources. This includes, but is not limited to, GFU faculty, staff, students, associates, business partners, and contractors.

Changing password frequency

Password change notification: Advance warnings of upcoming password expiration will be sent to the designated account holder via campus e-mail beginning 30 days prior to expiration, with repeated reminders several times thereafter until the expiration date. Any account holder may change his or her password at any time-it is not necessary to wait for expiration.

Password aging: A George Fox University computer user must change his or her password at least every 180 days. Attempts to login using an expired password will not succeed. After changing a password, a computer user should wait at least 30 minutes before changing his or her password again.

Reuse of old passwords: Reuse of any of the account's three prior passwords will not be permitted.

Strong Password Best Practices

To qualify the password must:

1. Be made up of at least seven characters
2. Not be a word found in the dictionary or be among passwords that are easy to guess, such as birthdays, names of pets, or easily identifiable words and phrases like 'gobruins' or 'bruinden'
3. Be difficult to guess
4. Include no less than three of the following character classes:
   • Lowercase letters (lowercase)
   • Uppercase letters (UPPERCASE)
   • Digits (0-9)
   • Special Characters (%, $, #, _)
   • Valid non-alphanumeric characters are , + - $ [ ] * & ^ / % { } | " ' ? < > _
     • Do not use the characters: \ @ # [space]

So "GeorgeFox" will not be accepted (only two of the four types present - no number or special character) but "G30rG3F0><" would be fine. Similarly, pretzel3 wouldn't work, but "Pr3tz3L" would.

How do I change my password?

Log into BruinData, then click on the 'change password' and follow the instructions. Some users will be required to create unique passwords for services. These options are automatically presented to the user when they change their password.

Download the Password Policy.