- All passwords shall be treated as sensitive, confidential information and shall not
be shared with anyone including but not limited to administrative assistants, system
administrators and helpdesk personnel.
- Passwords shall not be stored in clear text. Cryptography shall be used to create
the stored information.
- Users shall not write passwords down or store them anywhere in their office or publicly.
Nor shall they store passwords in a file on ANY computer system (including Personal
Digital Assistants or similar devices) without encryption.
- All system-level passwords (e.g., root, enable, Windows admin, application administration
accounts, etc.) shall be changed every 90 days and all user- level passwords (e.g.,
email, web, desktop computer, etc.) shall be changed every 180 days. (Or, not to exceed
8 months if other documented and approved mitigating factors are in effect such as
account lockout after a number of logon attempts.)
- User accounts that have system-level privileges granted through group memberships
or programs shall have a unique password from other accounts held by that user.
- Passwords shall not be inserted into email messages or other forms of electronic communication
- If an account or password is suspected of being compromised, the incident must be
reported to the appropriate access administrator or in accordance with local incident
- Temporary or “first use” passwords (e.g., new accts or guests) must be changed upon first logon the authorized user accesses the system and have a limited life of inactivity before being disabled.
- Passwords should be easy to remember, but difficult to guess. Users should not use
the "Remember Password" feature of applications. User Should Not Employ Any Automatic
- University of West Georgia information and information system users should refuse
all offers by software and/or Internet sites to automatically login the next time
that they access those resources.
- Where possible, users should not use the same password for different University of
West Georgia access needs. (For example, a user should select one password for the
development systems and a separate password for IT systems.) Also, a separate password
should be selected to be used for operating system accounts, unless a Single-Sign-On
system is used to control access to multiple systems.
- Users should not use the same password for University of West Georgia accounts as
for other non-UWG access (e.g., personal ISP account, option trading, benefits, etc.).
- Use caution when conducting random password audits via the use of automated tools.
Internal policies should exist strictly limiting the use and access of these tools
to authorized security administrators.