6.01.01 Password Complexity and Change Frequency

I. Purpose

This procedure documents the password complexity and change frequency that follow industry standards and comply with regulations and audit requirements.

Policy Supported

6.01 Password Policy

II. Description

Valid passwords must be at least 8 characters long. Passwords will be checked against a list of known breached passwords (e.g. LinkedIn and Yahoo!). If a password is in the breached list, it is not allowed to be used. Recently used passwords cannot be reused. For guidance on choosing a secure password see the Selecting Secure Passwords procedure (6.01.02). Do not use a tilde (~) in your password.

Passwords must be changed every 365 days, unless governed by a more restrictive requirement, such as PCI DSS, which requires password changes at most every 90 days.

All individuals will receive daily emails notifying them of the required password change beginning seven days in advance of the expiration date.

If the password is not changed before the expiration date, access to wireless, all Administrative computer information, and server space will be lost until the password is reset. The Account Validation procedure (6.02.01) is used to restore services.

III. Scope

This procedure applies to all Bradley University computer and network users.