Skip to main content

Password Standard

  1. Purpose

    The purpose of this standard is to establish requirements for faculty, staff, students and other authorized users regarding passwords to protect individual and University information resources. Adherence to this standard will help ensure that the University network and information systems are secure and available to all authorized users.
  2. Scope

    The scope of this standard includes all faculty, staff, students and all authorized users who have or are responsible for an account on any system housing university information or that has access to the WSSU network. Each user and/or system administrator on the WSSU network is required to implement the password requirements listed in this document.
  3. Standard

    All University-affiliated passwords should meet the requirements described below, at a minimum:
    1. All passwords used must be strong passwords and must be constructed using the following:
      • minimum of eight (8) characters in length
      • contains at least one character from each of the following charter classes:
        • Lowercase letters
        • Uppercase letters
        • Numerals
        • Special character from this list: ~ ! @ # $ % ^ & * _ - + = ` | \ ( ) { } [ ] : ; " ' < > , . ? /
    2. Passwords must not contain the user's entire account name or the entire displayed full name.
    3. Passwords must expire within an appropriate interval. Campus defaults include:
      • 180 days for Students
      • 90 days for Faculty, Staff and authorized users
    4. Password System Requirements
      • The system must enforce the use of individual user IDs and passwords to maintain accountability.
      • The system must allow users to select and change their own passwords and include a confirmation procedure to allow for input errors.
      • The system must not display passwords on the screen when being entered.
      • The system must store and transmit passwords in a protected form.
      • The system must not allow passwords to be re-used.
    5. Special Accounts

      For special accounts with elevated privileges (e.g., root, super user, system administrator), the same password standards are required along with the additional security measure of regular audits of these accounts.
    6. Two-Factor Authentication

      Two-factor authentication is required in the following situations:

      • when an employee or student accesses University provided email systems;
      • when an employee or individual working on behalf of the University (such as a student employee, contractor, or volunteer) logs on to a University network using an enterprise remote access gateway such as a virtual private network (VPN), virtual desktop infrastructure (VDI), Terminal Server, Remote Desktop Protocol (RDP), or similar services;
      • when an individual described in b) who is working from a remote location uses an online function such as a web page to modify employee banking, tax, or financial information; or
      • a server administrator or other individual working from a remote location uses administrator credentials to access a server.
      • when an individual described in b) utilizes separate admin account to access university information resources or systems