In order to preserve the security of Information Resources and Data, Strong Passwords must be used to control access to Information Resources. All Passwords must be constructed, implemented, and maintained according to the requirements of the System Identity Management Member Operating Practices (MOP) and applicable Policies, Standards, and/or Procedures governing Password management.

Strong passwords shall be used to control access to the System's Information Resources. All account passwords associated with the System's Information Resources must be constructed, implemented, and maintained according to the following, as technology permits:

• Vetting User identity when issuing or resetting a password;
• Account passwords must comply with the following password strength requirements:
• Account passwords associated only with Controlled or Published Data must:
  • Be at least 6 characters in length; and
  • Be minimally composed of case sensitive letters and digits.
• Account passwords associated only with Controlled or Published Data must not:
  • Include personal information such as your name, phone number, identify number, date of birth, or addresses; or
  • Be composed of a single word found in a dictionary
• Account passwords associated with Confidential Data must:
  • Be at least 12 characters in length;
  • Contain letters, numbers, and special characters (for example \! @ # $ % & * ( ) - + = < >)
• Systems hosting Confidential Data must also be able to accommodate a reasonably long password length to support the use of longer passphrases.
  • Account passwords associated with Confidential Data must not:
    • Include personal information such as your name, phone number, social security number, date of birth, or addresses;
    • Be composed of a single word found in a dictionary;
    • Re-use any of the account's last 10 passwords;
    • Contain a series of the same character; or
    • Contain the user's account name.
• All password change procedures must include the following:
  • Authentication of the user prior to changing the password (acceptable forms of authentication include answering a series of specific questions, showing one or more forms of photo ID, etc.).
  • The new password must comply with password strength requirements associated with the data classification for the service in question.
  • System identity credentials (security tokens, security certificates, smartcards, and other access and identification devices) must be disabled or returned to the appropriate department or entity on demand or upon termination of the relationship with the System. Additional operating guidelines for ID cards are referenced in the System Identification Card Guidelines and the Data Encryption Guidelines.
• Unattended computing devices must be secured from unauthorized access using a combination of physical and logical security controls commensurate with associated risks. Physical security controls include barriers such as locked doors or security cables. Logical security controls include screen saver passwords and automatic session time-outs that are set to activate after 15-minutes of inactivity.

For more information on creating secure “strong” passwords please see the Password Guidelines published by Information Technology Services.