Password Usage and Management policy


This policy applies to everyone who uses University computing facilities. It is your responsibility to choose strong passwords and protect them.

Applicability

Scope

 

Purpose and Overview of Policy

The purpose of this policy is to explain the University’s approach to passwords and the requirements on users with respect to passwords.

Passwords are an important component for the protection data and information systems within the University.  They are the front line of defence for user accounts and the access those accounts provide to the University’s data and applications.

All users of University computing facilities are responsible for taking appropriate steps, as outlined below, to select and secure their passwords.  The University’s password policy and suggestions on picking passwords can be found at Annex B.

Secrecy and Sharing of Passwords

Individuals are personally responsible for maintaining the secrecy of their passwords and for controlling access to their user accounts through password security.

Passwords are not to be divulged by users to anyone. There is an exemption to this rule whereby the IT Assurance team can request passwords during an investigation. Failure to disclose the requested passwords may result in disciplinary action.

Where there is a need for several users to have access to common data and/or mail boxes, such as those working collaboratively (possibly via project accounts), access must be controlled in accordance with the Access Control and Account Management Policy. There is no need to share a password.  This also applies to individuals working with assistants.

Password Complexity and Choice

Password Complexity

Users are required to choose ‘strong passwords’.  The strength of a password is a measure of how difficult it is to guess.  Password complexity is a way of creating strong passwords, refer to Annex A for details.

When to change your Password

Changing your default password

When you are issued with a new password, either because you are a new user or it has been necessary to change your existing password, you must change the password when you next login to the system. Some systems may force you to do this but if not it is your responsibility to make this change.

After an Incident

Passwords must be changed immediately on any occasion that a user believes that someone else may be aware of their password and on all occasions when a malpractice incident is discovered or suspected.

Password Aging

The majority of University systems do not force the regular changing of passwords.  However, it is recommended that user passwords are changed periodically.

Compliance Monitoring

Password cracking tools may be used by IT on a random or periodic to check compliance with this policy.  Only individuals with written authority from the IT Assurance team may use any tool of this type.

Password Resets

Staff and students are recommended to use the relevant password reset service. This can be found on the IT webpages. All staff and students are required to register with the service and provide answers to security questions to re-set their password. Passwords can also be reset, when requested to do so, in person by the IT service desk.

Help and Assistance

Students who forget their password may use the Forgot my Password link on a cluster machine in order to establish the details.  However, this will only be of use if they have not previously changed their initial password as the details of the new password will not be available.

Remember to update all of your devices (phones, laptops, tablets) with the new password.

Alternatively:

From any Computer connected directly to the University network, press the Ctrl-Alt-Del keys together and choose the 'Change a password' option.

Your username is in the first field. Enter your old password, then your new password twice into the relevant fields.

Any questions regarding the use and management of passwords should be directed to the IT Service Desk or in the first instance the FAQ knowledge base article.

You will need to register with self service before you can use the Update my password facility.