Password Policy ed-pw-01

1.0 Purpose

To establish standards and guidelines for the creation of passwords, the protection of those passwords, and the frequency those passwords are changed. All College of Education employees are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.0 Scope

This policy applies to all personnel who have or are responsible for an account (or any form of data communications access) on any system that resides at any College of Education facility.

All faculty, staff and students are bound by ITS policies regulating their Penn State Access Accounts. Penn State ITS policies can be viewed at

3.0 Policy

3.1 General

  • All system-level passwords must be changed every 90 days.
  • All user-level passwords must be changed every 120 days.
  • User accounts that have system-level privileges granted through group memberships or programs such as "sudo" under UNIX, or "Run As" under Windows must have a password different from passwords used with any other accounts held by that user.
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
  • All user-level and system-level passwords must conform to the guidelines described below.
  • Distributed data users (example: those who access AIS, IBIS, ISIS, ANGEL, etc.) should be responsible for ensuring that their workstations have adequate security arrangements to protect data (such as power-on passwords, screen-saver locks, file passwords, etc.).

3.2.0 Guidelines

3.2.1 General Password Construction Guidelines

Passwords must be at least eight alphanumeric characters long and must contain at least three of the following:

  • upper case letters
  • lower case letters
  • numbers
  • symbols.

Best Practice requires passwords not to be a word or common usage word in any language, slang, dialect, jargon, etc. Passwords should not be based on personal information such as names of family members, word or number patterns, etc. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered but not easily guessed.

3.2.2 Password Protection Standards

Do not use the same password for College of Education accounts as for other non-College of Education access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various College of Education access needs. For example, select one password for the Education systems and a separate password for lab systems.

Do not share College of Education passwords with anyone, including administrative assistants, co-workers, or family members. All passwords are to be treated as sensitive, confidential College of Education information.

If someone demands a password, refer him or her to this document or have him or her call someone in the Education Technology Center or University Security Department.

Do not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, or browsers such as Firefox or Internet Explorer etc.).

If an account or password is suspected to have been compromised, report the incident to the Education Technology Center or the University Security Department

Password cracking or guessing may be performed on a periodic or random basis by the University Security Office or the Education Technology Center. If a password is guessed or cracked during one of these scans, the user will be required to change the password.

3.2.3 Application Development Standards

Internal application developers must ensure their programs contain the following security precautions.


  • Should support authentication of individual users, not groups.
  • Should not store passwords in clear text or in any easily reversible form.
  • Should provide for role management, such that one user can take over the functions of another without having to know the other's password.
  • Should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.

3.2.4 Use of Passwords and Passphrases for Remote Access Users

Access to the College of Education Networks via remote access is to be encrypted traffic, established using either a one-time password authentication or a public/private key system with a strong passphrase. (A Virtual Private Network (VPN) is an example of a public/private key system.)

4.0 Enforcement

The employee understands that violations of computer policies may result in the immediate suspension of College of Education network privileges and the notification of his/her supervisor. Depending on the severity of the violation, the employee understands that s/he may also experience disciplinary action, termination of employment, or law enforcement intervention.

5.0 Definitions

Application Administration Account: Any account that is for the administration of an application (e.g., Exchange Administrator, Domain administrator).

LDAP: An Internet standard protocol for accessing directory information. LDAP stands for Lightweight Directory Access Protocol

VPN: Virtual Private Network - provides a secure tunnel for transmitting data through an unsecured network

6.0 Revision History