Purpose
The Domain User Passwords Information Technology Requirement (ITR) establishes rules for the creation of strong passwords, the protection and management of passwords, and password privacy. The implementation of these requirements will better safeguard the personal and confidential information of all individuals and organizations affiliated, associated, or employed by Anne Arundel Community College (AACC). Adhering to these rules strengthens the confidentiality, integrity and availability of electronic assets and supports the college’s comprehensive Information Security Program.
Scope
This requirement is applicable to all AACC domain users. This may include, but is not limited to, students, faculty and staff.
Requirement
1. Establishing a Strong Password
1.1. IT recommends using passphrases over single words for better security. Passphrases offer longer and more complex combinations of words, making authentication stronger. By using passphrases, users can protect their accounts and sensitive information more effectively from breaches and unauthorized access.
1.2. Passwords can be classified as weak or strong based on how difficult they are to guess and/or compute. AACC’s password information technology requirements have been chosen to offer a level of protection beyond simple or weak but not to be so complex as to require being written down, causing additional risk.
1.3. AACC users must adhere to the following ‘strong password’ construction criteria:
1.3.1. Must be at least fourteen (14) characters in length.
1.3.2. Must contain at least 1 uppercase letter (A–Z).
1.3.3. Must contain at least 1 lowercase letter (a-z).
1.3.4. Must contain at least 1 or more numbers (0-9).
1.3.5. Must contain at least 1 nonalphanumeric (For example: !, $, #, or %).
1.3.6. It is recommended that users change their password when a suspected compromise has occurred, or once every 365 days.
1.3.7. None of the previous 24 passwords can be reused.
1.4. Weak passwords embody some of the following characteristics and therefore may not be accepted:
1.4.1. Contains less than fourteen (14) characters.
1.4.2. Forms a word found in a dictionary (English or foreign) or is a common usage word such as:
• Names of family, pets, friends, co-workers, fantasy characters, etc.
• Computer terms and names, commands, sites, companies, hardware, software.
• Birthdays and other personal information such as addresses and phone numbers.
• Word or number patterns like aaabbb, xyz123, 123456.
1.4.3. Uses any of the words referenced above spelled backward.
1.4.4. Uses any of the above preceded or followed by a single numeric digit (e.g., secret1, 1secret).
2. User Responsibilities
2.1. Users are to always maintain confidentiality of their password(s).
2.2. Users should change their password(s) periodically.
2.3. Users should not write down their password(s).
2.4. Users should not divulge their password(s) to any other person.
2.5. Users should not transmit their password(s) by any electronic means.
2.6. Users should not reuse their password for any other account or system.
3. Use of multi-factor authentication (MFA) and single sign-on
3.1. Multi-factor authentication is required for faculty and staff and is recommended for students. Users may be required to enroll in MFA under the direction of the Division of Information and Instructional Technology (IIT). IIT will maintain an MFA exemption list.
3.2. Single Sign-On is recommended for all AACC systems. Exceptions must be approved by the vice president for Information and Instructional Technology.
Contingencies
None
Definitions
None
Review Process
This Information Technology Requirement will be reviewed every 48 months, or sooner if needed.
Guideline Title: Domain User Passwords Information Technology Requirement
Guideline Owner: Vice President for Information and Instructional Technology
Guideline Administrator: Director, Information Security
Contact Information: John Williams, [email protected]
Approval Date: March 6, 2024
Effective Date: July 1, 2024
History: N/A
Applies to: All AACC domain users
Related Policies: N/A
Related Procedures: N/A
Related Guidelines: N/A
Forms: N/A
Relevant Laws: N/A