Password

Objective: 

This policy establishes directions for the creation/reset of passwords, their protection and frequency of change. The scope of this policy includes all SF State staff, faculty, student employees and community members (including but not limited to auxiliary personnel and emeritus).

Statement: 

Purpose & Scope

Passwords are typically the first line of protection for user accounts. A poorly chosen password may result in a breach that compromises network and systems security resulting in the exposure of SF State Confidential Data.

Policy & Appropriate Use

General

Individual Account Passwords

• SF State authentication credentials must not be disclosed to another person.
• All SF State students, employees, student employees, emeritus, and community member passwords must be reset after a maximum of 365 days.
• All SF State students, employees, student employees, emeritus, and community members must be enrolled in two-factor authentication (2FA) with SF State Single Sign-On (SSO). 
• Account passwords should not be included in email messages or other forms of electronic communication unless encrypted.
• Temporary and one-time passwords must meet complexity rules and not be predictable.
• All passwords are Level 1 data and must be handled in accordance with the Sensitive Data Policy.

Users must immediately report any incident or suspected compromised password. Information on type of security incidents and where to report can be found at Reporting a Security Incident or Vulnerability page.

Guest Account Passwords

• May only be used for pre-approved low-risk activities.
• May be emailed.
• Must expire within 7 days.
• May only be used by the intended participants/users.

Privileged Account Passwords

• Individual privileged account passwords must be different from non-privileged account passwords held by that user.
• Individual privileged account users must reset their passwords after a maximum of 365 days. 
• Individual privileged accounts used for accessing cloud services must be enrolled in two-factor authentication (2FA) with SF State Single Sign-On (SSO). 

Default Account Passwords

• Default passwords delivered from vendors must be changed before being deployed or upon initial access to the system (e.g. the first time the user logs in).

SF State Password Standards

• Must be a minimum of twelve characters.
• Must not contain the first name, last name, or account name.
• Must not be the same as the last 24 passwords used.
• Must contain three of the following five categories:
  • Upper case characters
  • Lower case characters
  • Numbers
  • Special characters
  • Non English characters

Password Protection Standards

• Do not use the same password for SF State accounts and non-SF State accounts (e.g., personal email, banking, insurance, etc.).
• Do not store passwords electronically unless encrypted. Passwords recorded on paper must be physically secured.
• Computers should automatically lock after a maximum of 15 minutes of inactivity and require a password to unlock.
• Privileged accounts should never be used on public machines.

Implementation

Responsibility for implementing this Practice Directive will rest with Information Technology Services (ITS) and campus functional units. Submit any apparent violation of Password Policy to the appropriate administrator or to service@sfsu.edu.

Non-Compliance

Noncompliance with applicable policies and/or practices may result in suspension of network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements