Password Manager Standard
Provides a standard on password security through minimum complexity enforcement and secure storage using Dashlane, our University approved password manager. A password manager provides the ability to create complex and randomized passwords for all accounts while accessing those passwords securely and conveniently.
This standard sets forth password requirements for all University staff and faculty.
- All passwords used to access computing devices and University resources must meet their respective platforms' specific minimum password requirements and be traceable to individual users. Any suspected password compromise must be reported to the Office of Information Technology immediately.
- Dashlane is the only University approved password manager staff and faculty are allowed to store University account passwords. Passwords should not be stored in any location, such as Chrome, Safari, Firefox, Edge, sticky notes, email, notepad, text edit, or any other unencrypted platform.
- All University computers will be restricted to only saving passwords in Dashlane. Using Dashlane for personal accounts is available and highly encouraged.
- All staff and faculty should use Dashlane’s password generator to create unique passwords for all University accounts.
- The re-use of personal account passwords for business purposes is strongly discouraged.
Reminders will be sent to users and their supervisors to encourage progress using the University-approved password manager. Training documentation will be provided, with occasional training sessions throughout the year.
- Reason for this standard
Poor password security and practices remain among the most significant risks for data exposure due to a compromised account. Reusing passwords puts the University and individual at risk if an account is breached. Failing to protect data through complex passwords can expose sensitive information and impact critical University services. Adherence to this standard is essential to ensure information security at the University.
Any exceptions to this standard must be approved by the Chief Information Officer or the Chief Information Security Officer.