Password Policy

1.0 Overview

Passwords are a vital aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password can compromise Hampshire College's data systems and services. As such, all users (including contractors and vendors with access to Hampshire College's systems) are responsible for taking the appropriate steps, outlined below, to select and secure their passwords.

2.0 Purpose

The purpose of this policy is to establish standards for the creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes users who meet any of the following criteria:

  • Users responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Hampshire College facility
  • Users with access to Hampshire College's network
  • Users who store any non-public Hampshire College information.

4.0 Policy

4.1 General

  • Change your passwords periodically.
  • The frequency of password change is generally based on the privilege or access level of the account. Accounts with greater privilege or access should have their passwords changed more frequently.
  • The minimum required interval for password changes is once every year.
  • If your password has been compromised or you suspect it's been compromised, change your password immediately. Change your password by visiting password.hampshire.edu and then contact the helpdesk at helpdesk@hampshire.edu
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • All user-level and system-level passwords must conform to the guidelines described in Hampshire College Password Guidelines. Please see addendum for additional information regarding these guidelines.

4.2 Password Protection Standards

Password protection is a vital part of any security plan, so please observe the following standards:

  • Do not use the same password for Hampshire College accounts as for other non-Hampshire College accounts, such as personal ISP account, benefits, banking, and other accounts.
  • Do not share Hampshire College passwords with anyone, including administrative assistants or secretaries.
  • All passwords are to be treated as sensitive Hampshire College information.
  • When IT works on your computer, please arrange to be available to type in your password as needed. If that is not possible, change your password immediately before and after the work is done.

Good practices to follow:

  • Don't reveal a password over the phone to ANYONE
  • Don't reveal a password in an email message to ANYONE
  • Don't reveal a password to a supervisor
  • Don't write passwords down and save them
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms to ANYONE
  • Don't share a password with family members
  • Don't reveal a password to co-workers (e.g., when going on vacation or leave of any kind)
  • Don't use the "Remember Password" feature of applications.
  • Don't store passwords in a file on ANY computer system (including a smartphone or similar devices) without encryption.

If someone demands a password, refer that person to this document or have that person call a staff member of the information technology department.

Password cracking or guessing may be performed on a periodic or random basis by IT or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

General Password Construction Guidelines

Strong passwords are:

  • At least twelve characters, (longer is better)
  • A mix of upper and lower case letters (a-z, A-Z), numbers (0-9), and symbols (~!%^)+]>}`$*)
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Something hard to guess, but easy to remember

Bad passwords are:

  • Predictable patterns or significant repeating of the same character
  • Personal information (name, birth date, family/friend/pet's names, address, SSN, etc.)
  • A password you use for other systems

How can I create a memorable password?

One way to do this is create a password based on a song title, affirmation, or other phrase.

  1. Think of a phrase you can easily memorize
  2. Keep the first letter of each word and insert numbers where appropriate

Example
Phrase: I have three furry white kitties and one puppy dog!
Corresponding password: Ih3fwka1pd!


NOTE: Do not use this example as a password!