Password Policy

1. Overview

Assigning unique user logins and requiring password protection is one of the primary safeguards employed to restrict access to the Whitman College network and the data stored within it to only authorized users. If a password is compromised, access to information systems can be obtained by an unauthorized individual, either inadvertently or maliciously. Individuals with Whitman ID's are responsible for safeguarding against unauthorized access to their account, and as such, must conform to this policy in order to ensure passwords are kept confidential and are designed to be complex and difficult to breach. The parameters in this policy are designed to comply with legal and regulatory standards.

2. Scope

All individuals provided with userID's for accessing Whitman College information systems. All information systems used to create, store, or manage College data.

3. Policy

Individual Responsibility

Individuals are responsible for keeping passwords secure and confidential. As such, the following principles must be adhered to for creating and safeguarding passwords:

  • Whitman College passwords must be changed immediately upon issuance for the first-use. Initial passwords must be securely transmitted to the individual, either directly or via the individual's supervisor.
  • College passwords must never be shared with another individual for any reason or in any manner not consistent with this policy. (see Appendix A)
  • Employees (including student employees), must never ask anyone for their password. (see Appendix A)
  • College passwords must never be written down and left in a location easily accessible or visible to others. This includes both paper and unprotected digital formats.
  • Passwords should not be stored in a web browser's password manager. An approved, secured password manager application is encouraged.
  • Individuals must never leave themselves logged into an application or system where someone else can unknowingly use their account.
  • Passwords for College systems must be unique and different from passwords used for other personal services (e.g., banking).
  • All passwords -- both issued and not issued and managed by Whitman College systems -- must meet the complexity requirements outlined in this policy if technically feasible.

B. Responsibilities of Systems Processing Passwords

All College systems-including servers, applications, and websites that are hosted by or for Whitman College - must be designed to accept passwords and transmit them with proper safeguards.

  • Passwords must be prohibited from being displayed when entered.
  • Passwords must never be stored in clear, readable format (encryption must always be used).
  • Passwords must never be stored as part of a login script, program, or automated process.
    • Exceptions to this must be registered with the Information Security Office to allow for proper documentation and risk assessment.
  • Encrypted password databases and hashes must never be accessible to unauthorized individuals.

Where any of the above items are not supported, appropriate authorizations and access control methods must be implemented to ensure only a limited number of authorized individuals have access to readable passwords.

C. Password Requirements

Many College-owned systems manage password requirements unique to that system. For systems where password restrictions are open to choice, the following parameters indicate the recommended requirements for passwords:

  • Long - at least eight (8) characters; increased password length should be considered a primary goal of a solid password.
  • Unique - not used as a password for other accounts (work-related or personal)
  • Complex - a combination of as many of the following four listed character types as possible:
    • UPPERCASE letters (A-Z),
    • lowercase letters (a-z)
    • Numeric digits (0-9)
    • Special characters (such as ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , . / and space)
  • Unpredictable - not based on anything somebody else could easily guess or obtain using person related information (e.g., names, myWhitman ID, telephone numbers, dates of birth, etc.);
  • Uncommon - not vulnerable to a dictionary attack (see Recommendations for Creating Compliant Passwords)

These recommendations should be followed for any system that accesses, stores, or manages institutional resources (local or cloud-based).

Suggestions for Creating Secure Passwords -- insert link to KB article

D. Password Expiration

In order to prevent an attacker from making use of a password that may have been discovered, passwords are deemed temporary and should be changed regularly.

The WCTS Security Office reserves the right to reset a user's password in the event a compromise is suspected or reported.

The required frequency at which passwords must be changed varies based on the type of user or system.

Certain College-managed systems require new passwords on a periodic basis. While not all standard systems enforce password expiration -- it is good practice to refresh passwords on a cycle consistent with the sensitivity of data protected by the account and password.

Mobile Devices

Mobile devices accessing or storing Whitman College data, such as smartphones and tablets, The following minimum password policy is in effect for all mobile devices, where passwords are:

  • At least four (4) digits;
  • No repeating or sequential digits (e.g., 111111, 123456, or 101010); and,
  • Changed periodically.
  • Fingerprint and other biometric method on mobile devices may be used to unlock the device, but a compliant password must still be established.
  • A mobile device accessing or storing College data should be configured to erase after ten (10) invalid password attempts. The device manufacturer may automatically impose time limitations after several unsuccessful password attempts before the wipe is triggered. WCTS can provide assistance with configuring and resetting device passcode.

Appendix A

Guidance for circumstances where sharing a password may be required

  • WCTS will avoid asking for a password.
  • In  support scenarios where an WCTS account cannot be used, an individual may choose to allow a technician to utilize his/her credentials; HOWEVER, the password used must be changed immediately after the authorized support session.
  • In the event of a hardware malfunction and the device needs to be repaired by a third-party, the device hard drive will be backed up to a secure storage device and wiped securely prior to being handed over to an external technician. WCTS can assist with a secure backup and the drive erasure and other exceptional circumstances. Passwords that grant access to college-owned data should not be shared with external technicians.
  • In the event that a password needs to be issued to a remote user or service provider, the password must never be sent without the use of proper safeguards, and should be changed immediately following the remote session.