D. Password Policy

1. Purpose

The purpose of this policy is to establish the requirements for the proper construction, usage, handling, and maintenance of all passwords at all University System of New Hampshire (�鶹��ý��Ƶ) institutions. Passwords must be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. These requirements ensure the consistent application of security controls necessary to safeguard the information and information technology resources of �鶹��ý��Ƶ and its component institutions. �鶹��ý��Ƶ aligns itself with cybersecurity best practices from organizations such as the National Institute for Standards and the Technology (NIST) and Center for Internet Security (CIS).

2. Scope

This policy applies to all passwords used to authenticate �鶹��ý��Ƶ information technology (IT) resources or any IT system that stores �鶹��ý��Ƶ data.

3. Audience

All �鶹��ý��Ƶ community members - including students, faculty, staff, vendors, and external organizations with access to �鶹��ý��Ƶ systems - are responsible for understanding and complying with this policy.

4. Policy Statement

4.1 Password Change Frequency

4.1.1 All passwords associated with �鶹��ý��Ƶ accounts shall be forced to change if there is sufficient evidence of compromise or non-conformity with the policy.

4.1.2 �鶹��ý��Ƶ community members shall be notified of the need to change their password.

4.1.3 �鶹��ý��Ƶ community members with expired passwords shall be restricted from accessing �鶹��ý��Ƶ information technology resources.

4.1.4 Administrator account passwords shall be changed every 365 days.

4.1.5 Accounts processing payment cards shall change passwords every 90 days.

4.2 Password Construction

4.2.1 Passwords shall:

Be at least 15 characters long and may have a maximum length of 64 characters, unless the system supports longer passwords.
Allow all printable ASCII characters, spaces, and Unicode characters.
Be sufficiently different from previously used passwords and commonly known passwords.
Be unique per account.
Be unique for �鶹��ý��Ƶ use.

4.2.2 Passwords shall NOT:

Contain a user’s first name, last name, preferred name, username, or �鶹��ý��Ƶ ID.
Include common number or character sequences of four or more (e.g., "1234" or "abcd").
Contain the same character repeated four or more times (e.g., "aaaa" or "1111").
Be reused from previous passwords.
Be on a known list of compromised or weak passwords.

4.3 Password Handling

4.3.1 Passwords shall:

Be treated as restricted information.
Not be written down or stored in clear text.
Not be shared with anyone, including administrative assistants or supervisors.
Not be shared in email, chat, or other unencrypted electronic communication.
Not be transmitted in clear text.
Not be spoken aloud.

4.3.2 Administrators of information technology resources who need to provide passwords to other administrators shall use secure communication mechanisms.

4.3.3 �鶹��ý��Ƶ community members shall not use the "Remember Password" feature of web browsers to store �鶹��ý��Ƶ passwords.

4.3.4 Members of �鶹��ý��Ƶ �鶹��ý��Ƶ (ET&S) shall never ask users to provide their password for any �鶹��ý��Ƶ account.

4.3.5 Service, Root, Recovery System account or equivalent passwords shall be stored in an enterprise password vault.

4.4 Forgotten and Reset Passwords

4.4.1 Forgotten passwords shall be reset using �鶹��ý��Ƶ-approved processes.

4.4.2 Security questions or knowledge-based authentication (e.g., "What was your first pet’s name?") shall NOT be used for password resets.

4.4.3 Users unable to reset their password automatically shall verify their identity through �鶹��ý��Ƶ-approved methods.

4.5 Compromised Passwords

4.5.1 Users shall report suspected password compromises to the �鶹��ý��Ƶ Help Desk immediately.

4.5.2 If �鶹��ý��Ƶ detects a potential password compromise, account access should be restricted, and steps shall be taken to secure the account until identity verification and password reset are completed.

4.5.3 Users with compromised passwords shall verify their identity before regaining access.

4.6 Rate Limiting

4.6.1 �鶹��ý��Ƶ shall implement controls to protect against online guessing attacks.

4.6.2 Consecutive failed authentication attempts on a single account shall be limited to a maximum of 100 before requiring additional verification or lockout.

4.6.3 Consecutive failed authentication attempts on accounts attributed to users and systems that process payment cards shall be limited to 10 before lockout.

5. Enforcement

Failure to comply with this policy may result in disciplinary action in accordance with �鶹��ý��Ƶ student conduct policies, personnel policies, or vendor contracts. The �鶹��ý��Ƶ Chief Information Security Officer (CISO) or Chief Information Officer (CIO) may take necessary actions to mitigate security risks resulting from non-compliance.

6. Exceptions

Exceptions to this policy must be formally requested and approved according to the �鶹��ý��Ƶ Cybersecurity Exception Standard.

7. Roles and Responsibilities

Application Administrators: Ensure all application accounts comply with this policy.
Chief Information Officer (CIO) and Chief Information Security Officer (CISO): Enforce and review the policy annually.
�鶹��ý��Ƶ (ET&S):
- Send password expiration notifications.
- Reset invalid or compromised passwords per the �鶹��ý��Ƶ Password Management Standard.
- Monitor �鶹��ý��Ƶ systems for signs of compromise.
- Provide support for �鶹��ý��Ƶ community members’ account and password-related questions.
�鶹��ý��Ƶ Community Members:
- Comply with all password security requirements.
- Maintain the confidentiality of �鶹��ý��Ƶ passwords.
- Use unique passwords for every account.
- Report cybersecurity events or incidents such as a �鶹��ý��Ƶ password suddenly not working without being changed by its owner.

8. Definitions

Refer to the NIST Glossary at

For questions, additional training, or policy violation reports, contact �鶹��ý��Ƶ Cybersecurity Governance, Risk, & Compliance (GRC) via the Support Form.

�鶹��ý��Ƶ

Search Policies & Procedures

USY - Administrative Board

D. Password Policy