Policies, Standards, and Guidelines

Password Standard

The ºÚÁÏÉçapp Campus Password Standard identifies requirements and provides guidance on establishing passwords for University computer systems..

Comments or feedback on this standard should be directed to The Office of the Chief Information Officer at (831) 582-4700.

Scope

This standard applies to all persons using ºÚÁÏÉçapp data or information systems.

Password standards

A password is private information and only the person assigned to a particular ºÚÁÏÉçapp username may use the associated password. Users are responsible for safeguarding passwords for their ºÚÁÏÉçapp username. Passwords must not be shared. Users should not share their password with anyone.

The following standards are to assist users with choosing secure passwords. Each individual application used to change passwords will screen for most of these guidelines as an aid in creating secure passwords. This does not relieve a person of responsibility for creating and protecting a secure password.

  • Make passwords significantly different from previous passwords.
  • Make passwords hard to guess. It should not be information easily obtainable about you.
  • Passwords should not include mother’s maiden name, Social Security number, telephone numbers, or birthday.
  • Your password cannot be the same as the username.
  • Don’t leave passwords where others can find them. Do not leave your password on a post-it note taped to your monitor.
  • Change passwords regularly.
  • Use as many characters as the system you are using allows when you create your password.

Password requirements

ºÚÁÏÉçapp has implemented updated ºÚÁÏÉçapp username password requirements based on the CSU System-Wide Information Security Standards. ºÚÁÏÉçapp systems have the following password requirements:

  • Passwords must be at least 10-characters long (recommend at least 12 characters for level 1 sensitive data users)
  • Passwords must contain at least one uppercase alphabet character (A-Z), at least one lowercase alphabet character (a-z) and at least one number and cannot contain part of your username.
  • Minimum password age is 6 days (you cannot change your password if it has been less than 6 days since you last changed it).
  • Maximum password age is 365 days (you must change your password if it has been more than 365 days since you last changed it) .
  • You may not re-use any of your last 3 passwords.
  • Accounts are locked after 5 failed log in attempts.

Passwords for newly activated usernames must be changed on first use. This way only the person assigned the username knows the password.

Roles and responsibilities

Each Information Technology department is responsible for ensuring that all ºÚÁÏÉçapp information technology resources adhere to the Campus Password Standard.

All ºÚÁÏÉçapp employees are responsible for adhering to the Campus Password Standard.

Revision control

This standard will be subject to revision in response to changes in technology, regulatory compliance, and/or ºÚÁÏÉçapp operational initiatives.

Last reviewed/updated

06/21/2019 by Chip Lenno, CIO/ISO