Password Policy

Date Approved:10-1-2020
Last Revision:10-1-2020
Last Reviewed:10-1-2020
Approved By:President
Oversight Unit:INFORMATION TECHNOLOGY-TECHNICAL SERVICES
This policy has a related procedure. Click to view the procedure below.
Purpose

This policy identifies and governs authentication controls to protect data and privacy.

Applicability

All users of NMU network resources, including but not limited to Faculty, Staff, Retirees, and Students. The Policy applies to administrative data, systems that access university data, media that store data, and other data as determined by the Chief Information Security Officer (CISO). 

Policy

Northern Michigan University’s CISO or designate will develop and implement appropriate password controls for NMU’s network systems. The controls will be documented in procedures approved by the CISO. 


Last update: 10/1/2020

Procedure

Definition: Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).  In the case of NMU, the first authentication method must be a password.  There are several options for secondary authentication, including an authenticator application, the device’s built in security key, external USB or similar security key, and backup codes.

Using various tools, NMU will assign a strength score to each user’s password. The use of multi-factor authentication will determine the need and frequency for a password change. In an effort to better protect and secure the information and privacy of the Faculty, Staff, and Students of Northern Michigan University, the following authentication procedures will be required:                      

  • Passwords must be of an acceptable strength as determined by the CISO. 
  • If multi-factor authentication is enabled, a yearly password change for faculty, staff, and retirees will not be required.
  • If multi-factor authentication is disabled, a password change will be required 1 year from the date of the last password change for faculty, staff, and retirees.  
  • Students are not required to change their passwords on a yearly basis.  
  • Passwords cannot be reused.
  • Passwords must begin with an alphabetic character a-z or A-Z.  Valid password characters are a-z, A-Z, 0-9, the special characters ~!#$%^&*()_+-=[]{}|;:/,.<>?   A space character is also permitted, just not at the beginning or end of the password. 
  • Passwords must be at least a minimum of 8 characters and a maximum of 64 characters
  • In order to respond to technology changes, the CISO designates the Network Operations Center to continue to assess, and as appropriate, present alternatives, to two factor authentication methods.
  • If NMU receives notice that an external entity has been compromised and the breached data includes an ID and password that match a current NMUID and password, the user will be required to change their NMU password.

Enforcement:

The new policy will take effect on 10/1/2020 and will be used for all subsequent password creations and changes.