{"id":16102,"date":"2024-11-26T06:22:04","date_gmt":"2024-11-26T12:22:04","guid":{"rendered":"https:\/\/www.mcneese.edu\/policy\/?post_type=ie_policy&#038;p=16102"},"modified":"2024-11-26T06:22:04","modified_gmt":"2024-11-26T12:22:04","slug":"password-policy","status":"publish","type":"ie_policy","link":"https:\/\/www.mcneese.edu\/policy\/password-policy\/","title":{"rendered":"Password Policy"},"content":{"rendered":"\n<h2 class=\"wp-block-heading display-3 heavy\">Purpose<\/h2>\n\n\n\n<p>The purpose of this policy is to establish standards for password usage to ensure the security of McNeese State University\u2019s computing resources.<\/p>\n\n\n\n<h2 class=\"wp-block-heading display-3 heavy\">Scope<\/h2>\n\n\n\n<p>This policy applies to all employees, students, and contractors who access McNeese State University systems, data, or applications.<\/p>\n\n\n\n<h2 class=\"wp-block-heading display-3 heavy\">Policy<\/h2>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Password Length<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Minimum Length:<\/strong> Passwords must be at least 12 characters.<\/li>\n\n\n\n<li><strong>Maximum Length:<\/strong> Systems must accept passwords up to 64 characters.<\/li>\n\n\n\n<li><strong>Encouragement:<\/strong> Users are encouraged to create longer passphrases for added security.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Password Complexity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No Specific Complexity Requirements:<\/strong> Passwords are not required to include uppercase letters, lowercase letters, numbers, or special characters.<\/li>\n\n\n\n<li><strong>Guidance:<\/strong> Users should create passwords or passphrases that are memorable but difficult to guess, avoiding predictable patterns, common words, or sequences.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Password Composition Restrictions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prohibited Passwords:<\/strong> Passwords must be screened against lists of commonly used, compromised, or weak passwords (e.g., &#8220;password123,&#8221; &#8220;qwerty&#8221;).<\/li>\n\n\n\n<li><strong>Blocked Passwords:<\/strong> Passwords will be blocked if they:\n<ul class=\"wp-block-list\">\n<li>Appear on known breach lists,<\/li>\n\n\n\n<li>Are simple dictionary words, or<\/li>\n\n\n\n<li>Use predictable sequences (e.g., &#8220;123456&#8221;).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Password Expiration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No Routine Expiration:<\/strong> Passwords will not expire unless there is evidence of compromise.<\/li>\n\n\n\n<li><strong>Incident-Based Changes:<\/strong> Users must change passwords only in response to detected security incidents.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Multi-Factor Authentication (MFA)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mandatory MFA:<\/strong> Multi-factor authentication is required for accessing sensitive systems or data. This includes:\n<ul class=\"wp-block-list\">\n<li><strong>Something you know:<\/strong> A password.<\/li>\n\n\n\n<li><strong>Something you have:<\/strong> A hardware token or smartphone app.<\/li>\n\n\n\n<li><strong>Something you are:<\/strong> A biometric factor (e.g., fingerprint, facial recognition).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Password Recovery<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Secure Processes:<\/strong> Password recovery must involve secure methods such as MFA.<\/li>\n\n\n\n<li><strong>No Security Questions:<\/strong> Security questions should not be used, as they often involve easily discoverable information.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">No Complex Rules or Arbitrary Restrictions<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No Frequent Changes:<\/strong> Users are not required to change passwords frequently unless there is a suspected compromise.<\/li>\n\n\n\n<li><strong>No Arbitrary Composition Rules:<\/strong> Special character or capitalization requirements will not be imposed.<\/li>\n\n\n\n<li><strong>Password Managers:<\/strong> Users may utilize password managers and copy-paste functionality for convenience and security.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Password Storage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Secure Hashing:<\/strong> Passwords must be stored using strong, salted, iterative hash functions such as PBKDF2, bcrypt, or Argon2.<\/li>\n\n\n\n<li><strong>No Plaintext Storage:<\/strong> Passwords must never be stored in plaintext and must always be encrypted when transmitted.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Throttling and Rate Limiting<\/h3>\n\n\n\n<p><strong>Brute Force Protection:<\/strong> Systems must implement throttling and rate-limiting mechanisms to prevent brute force attacks after repeated failed login attempts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading display-4 heavy\">Monitoring and Logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Activity Monitoring:<\/strong> Systems must monitor and log failed login attempts and unusual behaviors.<\/li>\n\n\n\n<li><strong>Alerting:<\/strong> Alerts should be generated in response to suspicious activities to detect and mitigate potential threats.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading display-3 heavy\">User Guidance: Best Practices for Passwords<\/h2>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Use Passphrases:<\/strong> Create strong, memorable passphrases (e.g., \u201cSunnyDayInParis1982!\u201d).<\/li>\n\n\n\n<li><strong>Use a Password Manager:<\/strong> Utilize a reputable password manager to generate and store passwords securely.<\/li>\n\n\n\n<li><strong>Avoid Reusing Passwords:<\/strong> Do not reuse passwords across multiple accounts to reduce security risks.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading display-3 heavy\">Review and Revision<\/h2>\n\n\n\n<p>This policy will be reviewed annually and updated as necessary to align with evolving security practices and technology standards.<\/p>\n\n\n\n<h2 class=\"wp-block-heading display-3 heavy\">Contact Information<\/h2>\n\n\n\n<p>For questions or additional information, please contact the Office of Information Technology:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Phone: (337) 475-5995<\/li>\n\n\n\n<li>Email: <a href=\"mailto:helpdesk@mcneese.edu\">helpdesk@mcneese.edu<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading display-3 heavy\">Communication<\/h2>\n\n\n\n<p>This policy is distributed via the University Policies webpage.<\/p>\n","protected":false},"parent":0,"template":"","policy_types":[19],"class_list":["post-16102","ie_policy","type-ie_policy","status-publish","hentry","policy_types-institutional"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy\/16102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy"}],"about":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/types\/ie_policy"}],"version-history":[{"count":1,"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy\/16102\/revisions"}],"predecessor-version":[{"id":16103,"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/ie_policy\/16102\/revisions\/16103"}],"wp:attachment":[{"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/media?parent=16102"}],"wp:term":[{"taxonomy":"policy_types","embeddable":true,"href":"https:\/\/www.mcneese.edu\/policy\/wp-json\/wp\/v2\/policy_types?post=16102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}