Strong password standard
Wayne State University technology users are responsible for the security of their passwords. This responsibility is assigned in the university's policy on the Acceptable Use of Information Technology Resources.
Purpose
This Strong Password Standard describes the minimum requirements for acceptable password composition and maintenance by all technology users at Wayne State. Its purpose is to reduce overall risk to the institution by helping WSU individuals reasonably avoid security and privacy risks that result from weak password choices.
Scope
This Standard covers minimum requirements for passwords used on all enterprise-level systems at Wayne State University. Adherence to the Strong Password Standard is the responsibility of each individual.
Composition
Wayne State technology users must observe the following minimum requirements when selecting passwords.
- Password length: Minimum of eight characters.
- Password characters: The following characters are permitted to be used in passwords:
- a-z
- A-Z
- 0-9
- ! % * _ + ~ - [ ] { } # =
- Password complexity: Must include at least one character from each of the following classes:
- Lowercase letters
- Uppercase letters
- Numerals
- Password restrictions:
- Password cannot be found in common dictionaries and cannot be a well-known or predictable phrase.
- Password cannot resemble the AccessID, birth date, or the name of the individual.
- Password history: Passwords cannot be re-used.
- Permanent password: Passwords that are composed of 14 or more characters and meet the rest of the strong password standards will not expire. These stronger passwords will only have to be changed in the event that an account is attacked.
Maintenance
Passwords must be changed on a regular basis. Wayne State's Strong Password Standard calls for minimum password expiration cycles. If your AccessID password is 14 characters or longer, you won't need to change your password unless your account has been compromised.
- Faculty, staff, student assistants, and guests must change their password at least once every 180 days. This includes Group Accounts.
- Students and retirees must change their password at least once every 360 days.
- Passwords that are not changed within the limits noted above are expired, and the individual must change his or her password during the next login.
- The expiration cycle resets each time a password is successfully changed.
- An individual may change his or her password at any timeit is not necessary to wait for expiration.
- For AccessID passwords: Individuals will receive an advance warning via email of pending password expiration two weeks prior to and three days prior to expiration.
Protection
The integrity and secrecy of your password is a key element of your responsibility when using technology at Wayne State University. Treat your passwords as sensitive, confidential information.
- If someone demands to know your password, or if you suspect your password has been compromised, immediately report the incident to the Computing & Information Technology (C&IT) Help Desk.
To help you maintain the integrity and secrecy of your password, here are some tips to remember:
- Never share your password with anyone, including managers, co-workers, administrative assistants, system administrators, family members, friends, or employees of the C&IT Help Desk.
- Never reveal any passwords on questionnaires, via security forms, or in e-mails.
- Never talk about any of your passwords in front of others.
- Never hint at the format of any password (e.g., "my family name").
- Never write passwords down and store them near your computer.
- Never save passwords in web browsers or computer programs; instead, type them in each time you need them.
- Never walk away from your computer without logging out, locking the keyboard, or invoking a password-protected screensaver.