Password Policy

Authority: Information Technology
Date Enacted or Revised: Enacted November 25, 2024

Purpose

The purpose of this policy is to establish standards for password usage to ensure the security of McNeese State University’s computing resources.

Scope

This policy applies to all employees, students, and contractors who access McNeese State University systems, data, or applications.

Policy

Password Length

  • Minimum Length: Passwords must be at least 12 characters.
  • Maximum Length: Systems must accept passwords up to 64 characters.
  • Encouragement: Users are encouraged to create longer passphrases for added security.

Password Complexity

  • No Specific Complexity Requirements: Passwords are not required to include uppercase letters, lowercase letters, numbers, or special characters.
  • Guidance: Users should create passwords or passphrases that are memorable but difficult to guess, avoiding predictable patterns, common words, or sequences.

Password Composition Restrictions

  • Prohibited Passwords: Passwords must be screened against lists of commonly used, compromised, or weak passwords (e.g., “password123,” “qwerty”).
  • Blocked Passwords: Passwords will be blocked if they:
    • Appear on known breach lists,
    • Are simple dictionary words, or
    • Use predictable sequences (e.g., “123456”).

Password Expiration

  • No Routine Expiration: Passwords will not expire unless there is evidence of compromise.
  • Incident-Based Changes: Users must change passwords only in response to detected security incidents.

Multi-Factor Authentication (MFA)

  • Mandatory MFA: Multi-factor authentication is required for accessing sensitive systems or data. This includes:
    • Something you know: A password.
    • Something you have: A hardware token or smartphone app.
    • Something you are: A biometric factor (e.g., fingerprint, facial recognition).

Password Recovery

  • Secure Processes: Password recovery must involve secure methods such as MFA.
  • No Security Questions: Security questions should not be used, as they often involve easily discoverable information.

No Complex Rules or Arbitrary Restrictions

  • No Frequent Changes: Users are not required to change passwords frequently unless there is a suspected compromise.
  • No Arbitrary Composition Rules: Special character or capitalization requirements will not be imposed.
  • Password Managers: Users may utilize password managers and copy-paste functionality for convenience and security.

Password Storage

  • Secure Hashing: Passwords must be stored using strong, salted, iterative hash functions such as PBKDF2, bcrypt, or Argon2.
  • No Plaintext Storage: Passwords must never be stored in plaintext and must always be encrypted when transmitted.

Throttling and Rate Limiting

Brute Force Protection: Systems must implement throttling and rate-limiting mechanisms to prevent brute force attacks after repeated failed login attempts.

Monitoring and Logging

  • Activity Monitoring: Systems must monitor and log failed login attempts and unusual behaviors.
  • Alerting: Alerts should be generated in response to suspicious activities to detect and mitigate potential threats.

User Guidance: Best Practices for Passwords

  1. Use Passphrases: Create strong, memorable passphrases (e.g., “SunnyDayInParis1982!”).
  2. Use a Password Manager: Utilize a reputable password manager to generate and store passwords securely.
  3. Avoid Reusing Passwords: Do not reuse passwords across multiple accounts to reduce security risks.

Review and Revision

This policy will be reviewed annually and updated as necessary to align with evolving security practices and technology standards.

Contact Information

For questions or additional information, please contact the Office of Information Technology:

Communication

This policy is distributed via the University Policies webpage.