6.01 Password Policy

I. Purpose

The purpose of the Password policy is to require the implementation of technical procedures to ensure that passwords used at Bradley University are as secure as possible.

II. Description

Each user of systems holding or using electronic personal or private information shall have a unique user name (a.k.a. BUnetID, login, user-id, and account name) to enable the identification and tracking of user access. Users must not share their passwords with others. Group logins shall not be used.

The addition, deletion, and modification of BUnetIDs, credentials, and other identifier objects shall be controlled.

Password Management

User identity shall be verified before performing password resets. The Account Validation Procedure (6.02.01) describes how user identity will be verified.

Passwords must be changed at an appropriate frequency to comply with audit requirements, regulatory requirements, and security best practices. The Password Complexity and Change Frequency procedure (6.01.01) describes this requirement.

Passwords must not be stored in plain text. Passwords should not be written down and should not be shared with other individuals.

Account Lockout

Repeated access attempts will lock out the user ID. The definition of ‘repeated access attempts’ will vary depending on the time between attempts and other adverse activity on the net.

III. Scope

This policy applies to all Bradley University computer and network users.

Exceptions require CIO approval.