Section 1300: Information Technology

Effective: July, 2006
Revised: January 2020; March 2023
Reviewed: March 2023 
Review Date: March 2025
Responsible Party: Chief Information Officer

Overview

Passwords are a critical aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access.  A poorly chosen password may result in the compromise of Montana State University-Northern's systems, data or the entire campus network. Therefore, all MSU-Northern employees (including contractors and vendors with access to MSU-Northern systems) and students are required to use complex passwords and keep them secure.

A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources. The Information Technology Services office can require a more restrictive policy in protection of confidential data.

Purpose

The purpose of this policy is to establish a standard for the creation of complex passwords, the frequency with which they must be changed, and to educate users about the protection of those passwords.

Scope

This policy applies to all individuals who have or are responsible for an account, or who have any form of access that supports or requires authentication on any system, that:

  • reside at any MSU-Northern facility,
  • have access to the MSU-Northern network; and/or,
  • store any non-public MSU-Northern information.

Policy

  • All MSU-Northern domain passwords must be changed at least every 180 days, unless the account uses multifactor authentication.
  • MSU-Northern passwords must not be inserted into email messages or other forms of electronic communication.
  • Do not share MSU-Northern passwords with anyone. You are responsible for safeguarding your passwords.
  • All passwords must conform to the standards described below.

Password Construction Standards

Complex passwords requirements:

  • Must be a minimum of 8 characters in length
  • Must contain characters from three of the following four categories:
    • Uppercase characters (A through Z)
    • Lowercase characters (a through z)
    • Digits (0 through 9)
    • Non-alphanumeric characters (e.g. !@#$%^&*()_+|~-=\'{}[]:";'<>?,./)

Password Protection Standards

All passwords are to be treated as sensitive, confidential MSU-Northern information. Therefore:

  • Do not use the same password for MSU-Northern accounts as for other non-Northern access (e.g. personal email accounts, social media, gaming, etc.).
  • Where possible, don't use the same password for various MSU-Northern access needs. For example, select one password for email/domain access and a separate password for Oracle access (ex: Banner ODBC reports).
  • Do not display or conceal a password in your workspace.
  • Do not use the "Remember Password" feature of applications or websites.
  • Do not store passwords in a file on any computer system (including mobile devices) without encryption.
  • If an account or password is suspected to have been compromised, report the incident to ITS and change all your passwords.

Enforcement

Student violations of this policy will be handled by the Dean of Students, while employee violations will be referred to the individual's supervisor, Dean or department head. Any employee found to have violated this policy may be subject to disciplinary action.