1. All passwords shall be treated as sensitive, confidential information and shall not be shared with anyone including but not limited to administrative assistants, system administrators and helpdesk personnel.

  2. Passwords shall not be stored in clear text. Cryptography shall be used to create the stored information.

  3. Users shall not write passwords down or store them anywhere in their office or publicly. Nor shall they store passwords in a file on ANY computer system (including Personal Digital Assistants or similar devices) without encryption.

  4. All system-level passwords (e.g., root, enable, Windows admin, application administration accounts, etc.) shall be changed every 90 days and all user- level passwords (e.g., email, web, desktop computer, etc.) shall be changed every 180 days. (Or, not to exceed 8 months if other documented and approved mitigating factors are in effect such as account lockout after a number of logon attempts.)

  5. User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.

  6. Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.

  7. If an account or password is suspected of being compromised, the incident must be reported to the appropriate access administrator or in accordance with local incident response procedures.

  8. Temporary or “first use” passwords (e.g., new accts or guests) must be changed upon first logon the authorized user accesses the system and have a limited life of inactivity before being disabled.



  1. Passwords should be easy to remember, but difficult to guess. Users should not use the "Remember Password" feature of applications. User Should Not Employ Any Automatic Log-In Actions.

  2. University of West Georgia information and information system users should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources.

  3. Where possible, users should not use the same password for different University of West Georgia access needs. (For example, a user should select one password for the development systems and a separate password for IT systems.) Also, a separate password should be selected to be used for operating system accounts, unless a Single-Sign-On system is used to control access to multiple systems.

  4. Users should not use the same password for University of West Georgia accounts as for other non-UWG access (e.g., personal ISP account, option trading, benefits, etc.).

  5. Use caution when conducting random password audits via the use of automated tools. Internal policies should exist strictly limiting the use and access of these tools to authorized security administrators.