925  Implementation of Secure Passwords

Approved by President
Effective Date: June 5, 2017
Responsible Division: Information Technology
Responsible Office:  Information Technology
Responsible Officer: 
Vice President for Information Technology

I. Purpose

This policy ensures the security and confidentiality of login passwords to Middle Tennessee State University’s (MTSU or University) information systems. A combination of a personal user login ID for identification and a unique password for authentication will be required of all users before they are allowed to access University networks and systems. Passwords will be used for authentication of access to all University network and systems, except where stronger authentication methods (such as biometric authentication or two-factor authentication) are deemed necessary. The effectiveness of passwords to protect access to the University’s information directly depends on strong construction and handling practices.

This policy provides clear guidance for the creation and maintenance of login passwords. 

II. Definitions

A.  User Account. A collection of data associated with a particular user of a multiuser computer system. Each account comprises a user name and password and defines security access levels for that user.

B.  Privileged Account. A user account that has been allocated security access levels within a multiuser computer system, which are significantly greater than those available to the majority of user accounts.

C.  Service Account. Accounts used for automated processes without user interaction; accounts used for device management.

III. Policy Development and Maintenance

This policy will be reviewed at least annually by the Chief Information Security Officer and suggestions for changes will be submitted to the Vice President for Information Technology and Chief Information Officer (CIO).

IV. Scope

This policy applies to all University students, faculty, staff, affiliates, third-party support contractors, and all others granted access to MTSU information assets.

V. Procedure for User Accounts

The Information Technology Division (ITD) Help Desk will assist users with the creation and maintenance of their user account logins. More information on passwords can be found on ITD's Passwords website.  

A.  Mandatory Requirements: Listed below are the mandatory requirements and guidelines that must be followed when selecting a password:

1.  Passwords must not be stored in a manner which allows unauthorized access.

2.  Passwords will not be stored in a clear text file.

3.  Passwords will not be sent via unencrypted e-mail.

4.  Users must change their passwords at least annually.

5.  Users with privileged accounts must change their passwords at least every ninety (90) days.

6.  Password construction must meet the requirements listed within the MTSU Password Change application.

B.  Passwords must be changed immediately if any of the following events occur:

1.  Unauthorized password discovery or usage by another person.

2.  System compromise (unauthorized access to a system or account).

3.  Insecure transmission of a password.

4.  Accidental disclosure of a password to an unauthorized person.

VI. Procedure for Service Accounts

The ITD Enterprise Server Services will assist users with the creation and maintenance of service accounts. Mandatory requirements:

A.  Service accounts are not required to expire but must meet the password construction requirements above.

B.  Vendor provided passwords (also known as default passwords) must be changed upon installation, using the password construction requirements above.

C.  If there is a status change of any personnel with knowledge of service accounts, those account passwords must be changed within twenty-four (24) hours after the status change.

Forms:  none.

Revisions: none.

References: none.