Strong Password Standard
Wayne State University technology users are responsible for the security of their passwords. This responsibility is assigned in the university's policy on the Acceptable Use of Information Technology Resources.
Purpose: This Strong Password Standard describes the minimum requirements for acceptable password composition and maintenance by all technology users at Wayne State. Its purpose is to reduce overall risk to the institution by helping WSU individuals reasonably avoid security and privacy risks that result from weak password choices.
Scope: This Standard covers minimum requirements for passwords used on all enterprise-level systems at Wayne State University. Adherence to the Strong Password Standard is the responsibility of each individual.
Composition: Wayne State technology users must observe the following minimum requirements when selecting passwords:
- Password length: Minimum of eight characters.
- Password complexity: Must include at least one character from each of the following classes:
- Lowercase letters
- Uppercase letters
- Password restrictions:
- Password cannot be found in common dictionaries and cannot be a well-known or predictable phrase.
- Password cannot resemble the AccessID, birth date, or the name of the individual.
- Password history: Passwords cannot be re-used.
- Permanent password: Passwords that are composed of 14 or more characters and meet the rest of the strong password standards will not expire. These stronger passwords will only have to be changed in the event that an account is attacked.
Maintenance: Passwords must be changed on a regular basis. Wayne State's Strong Password Standard calls for minimum password expiration cycles:
- Faculty, staff, student assistants, and guests must change their password at least once every 180 days. This includes Group Accounts.
- Students and retirees must change their password at least once every 360 days.
- Passwords that are not changed within the limits noted above are expired, and the individual must change his or her password during the next logon.
- The expiration cycle resets each time a password is successfully changed.
- An individual may change his or her password at any time—it is not necessary to wait for expiration.
- For AccessID passwords: Individuals will receive an advance warning via e-mail of pending password expiration 2 weeks prior to and 3 days prior to expiration.
Protection: The integrity and secrecy of your password is a key element of your responsibility when using technology at Wayne State University. Treat your passwords as sensitive, confidential information.
- If someone demands to know your password, or if you suspect your password has been compromised, immediately report the incident to the Computing & Information Technology (C&IT) Help Desk.
To help you maintain the integrity and secrecy of your password, here are some tips to remember:
- Never share your password with anyone, including managers, co-workers, administrative assistants, system administrators, family members, friends, or employees of the C&IT Help Desk.
- Never reveal any passwords on questionnaires, via security forms, or in e-mails.
- Never talk about any of your passwords in front of others.
- Never hint at the format of any password (e.g., "my family name").
- Never write passwords down and store them near your computer.
- Never save passwords in Web browsers or computer programs; instead, type it in each time you need it.
- Never walk away from your computer without logging out, locking the keyboard, or invoking a password-protected screensaver.
Effective Aug. 1, 2008 (Revised Dec. 1, 2010)