Information Technology Security Password Guidelines
Passwords are a critical part of information and network security. Passwords serve to protect against unauthorized access, but a poorly chosen password could put the entire institution at risk. As a result, all members of the TCNJ community should take appropriate steps to ensure that their passwords are strong and secure. The purpose of these guidelines is to set a standard for creating, protecting, and changing passwords such that they are strong, secure, and protected.
These guidelines apply to all members of the College who have or are responsible for a computer account, or any form of access that supports or requires a password, on any system that resides at any College facility, or has access to The College of New Jersey’s network.
What is a password? A password is your personal key to a computer system. Passwords help to ensure that only authorized individuals access computer systems. Passwords also help to determine accountability for all transactions and other changes made to system resources, including data. If you share your password with a colleague or friend, you may be giving an unauthorized individual access to the system and may be held responsible for their actions. What if the individual gives your password to someone else? What if some of your files are deleted or otherwise rendered unusable? Are you willing to take the blame if an unauthorized individual uses your access to damage or to make unauthorized changes to data or systems?
Authentication of individuals as valid users, via the input of a valid password, is required to access any shared computer information system. Each user is accountable for the selection and confidentiality of passwords. Since you are responsible for picking your own password, it is important to be able to tell the difference between a good password and a bad one. Bad passwords jeopardize information that they are supposed to protect.
Your password should not be the same as your username. Your password should be unique. Do not use the same password across multiple accounts (Use a password manager to assist with maintaining unique passwords with all your accounts. TCNJ has an enterprise LastPass license. Contact email@example.com if you would like to participate). A good password is relatively easy to remember, but hard for somebody else to guess. There are a variety of techniques you can use to choose secure passwords. Listed below are some examples of creating passwords.
- Passwords should be long and unique.
- Old passwords should not be re-used.
- All passwords should conform to the guidelines outlined below.
Password Construction Guidelines
Passwords are used to access any number of College systems. Poor, weak passwords are easily cracked, and put the entire system at risk. Therefore, strong passwords are required. Try to create a password that is also easy to remember.
- Passwords should be long. A password should really be a passphrase. Uses spaces between words to make them longer and harder to crack, but easier to remember.
- Passwords should contain at least 12 characters.
- Passwords should contain at least 1 uppercase letter
- Passwords should contain at least 1 lowercase letter
- Passwords should contain at least 1 numerical character
- Symbol characters are encouraged (e.g. @#$%^&!.)
Following are examples of some techniques for creating passwords.
1. Combine a few objects in the room to make a random phrase.
Examples: “Black desk 1 phone!” “3 posters on the WALL” “Mug, clock light 341”
2. Make up an phase based on a nursery rhyme, a favorite song or movie, or a sentence.
Examples: “Mary Had A Little Lamb 11” “The Matrix 2 is a fun movie” “Full House 2022”
3. Use special characters like #, $, and @. These too, can be inserted anywhere.
Example: “Fun@thefa1r” “Never #GUESS 99” “Not really $ecur3”
4. Be creative! Try to choose a pattern that has meaning for you but that no one else can guess. For example, you might use upcoming events in your life. If you have a major essay to write next month, you might create a password reflecting that event. Or if a friend is coming to visit.
Example: “Major essay +7” “Bob visiting. 10th” “This is 1 secure password!!”
The best password is one that is long and has never been used before.
Password Protection Guidelines
- Passwords should be treated as confidential information. No one is to give, tell, or hint at their password to another person, including IT staff, administrators, superiors, other co-workers, friends, or family members, under any circumstances.
- If someone demands your password, refer them to these guidelines or have them contact the IT Department.
- Passwords should not be transmitted electronically over the unprotected Internet, such as via email.
- No one is to keep an unsecured written record of their passwords, either on paper or in an electronic file. If it proves necessary to keep a record of a password, then it must be kept in a controlled access place if in hardcopy form or in an encrypted file if in electronic form. Contact firstname.lastname@example.org if you need access to LastPass
- Do not use the “Remember Password” feature of applications such as web browsers. They may allow an attacker to view your passwords in clear text.
- Passwords used to gain access to TCNJ systems should not be used as passwords to access non-TCNJ systems.
- Do not use the same password to access multiple accounts/systems. Password reuse is the #1 vector attackers use to gain unauthorized access.
- If you suspects that your password has been compromised, it must be reported to the Information Security Office and the password changed immediately.
- Finally, please do not use any of the password examples shown in this document.