1. Purpose
The purpose of this policy is to establish the requirements for the proper construction, usage, handling, and maintenance of all passwords at all University System of New Hampshire (USNH) institutions. Passwords must be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. These requirements ensure the consistent application of security controls necessary to safeguard the information and information technology resources of USNH and its component institutions. USNH aligns itself with cybersecurity best practices from organizations such as the National Institute for Standards and the Technology (NIST) and Center for Internet Security (CIS).
2. Scope
This policy applies to all passwords used to authenticate USNH information technology (IT) resources or any IT system that stores USNH data.
3. Audience
All USNH community members - including students, faculty, staff, vendors, and external organizations with access to USNH systems - are responsible for understanding and complying with this policy.
4. Policy Statement
4.1 Password Change Frequency
4.1.1 All passwords associated with USNH accounts shall be forced to change if there is sufficient evidence of compromise or non-conformity with the policy.
4.1.2 USNH community members shall be notified of the need to change their password.
4.1.3 USNH community members with expired passwords shall be restricted from accessing USNH information technology resources.
4.1.4 Administrator account passwords shall be changed every 365 days.
4.1.5 Accounts processing payment cards shall change passwords every 90 days.
4.2 Password Construction
4.2.1 Passwords shall:
- Be at least 15 characters long and may have a maximum length of 64 characters, unless the system supports longer passwords.
- Allow all printable ASCII characters, spaces, and Unicode characters.
- Be sufficiently different from previously used passwords and commonly known passwords.
- Be unique per account.
- Be unique for USNH use.
4.2.2 Passwords shall NOT:
- Contain a user’s first name, last name, preferred name, username, or USNH ID.
- Include common number or character sequences of four or more (e.g., "1234" or "abcd").
- Contain the same character repeated four or more times (e.g., "aaaa" or "1111").
- Be reused from previous passwords.
- Be on a known list of compromised or weak passwords.
4.3 Password Handling
4.3.1 Passwords shall:
- Be treated as restricted information.
- Not be written down or stored in clear text.
- Not be shared with anyone, including administrative assistants or supervisors.
- Not be shared in email, chat, or other unencrypted electronic communication.
- Not be transmitted in clear text.
- Not be spoken aloud.
4.3.2 Administrators of information technology resources who need to provide passwords to other administrators shall use secure communication mechanisms.
4.3.3 USNH community members shall not use the "Remember Password" feature of web browsers to store USNH passwords.
4.3.4 Members of USNH Enterprise Technology & Services (ET&S) shall never ask users to provide their password for any USNH account.
4.3.5 Service, Root, Recovery System account or equivalent passwords shall be stored in an enterprise password vault.
4.4 Forgotten and Reset Passwords
4.4.1 Forgotten passwords shall be reset using USNH-approved processes.
4.4.2 Security questions or knowledge-based authentication (e.g., "What was your first pet’s name?") shall NOT be used for password resets.
4.4.3 Users unable to reset their password automatically shall verify their identity through USNH-approved methods.
4.5 Compromised Passwords
4.5.1 Users shall report suspected password compromises to the USNH Help Desk immediately.
4.5.2 If USNH detects a potential password compromise, account access should be restricted, and steps shall be taken to secure the account until identity verification and password reset are completed.
4.5.3 Users with compromised passwords shall verify their identity before regaining access.
4.6 Rate Limiting
4.6.1 USNH shall implement controls to protect against online guessing attacks.
4.6.2 Consecutive failed authentication attempts on a single account shall be limited to a maximum of 100 before requiring additional verification or lockout.
4.6.3 Consecutive failed authentication attempts on accounts attributed to users and systems that process payment cards shall be limited to 10 before lockout.
5. Enforcement
Failure to comply with this policy may result in disciplinary action in accordance with USNH student conduct policies, personnel policies, or vendor contracts. The USNH Chief Information Security Officer (CISO) or Chief Information Officer (CIO) may take necessary actions to mitigate security risks resulting from non-compliance.
6. Exceptions
Exceptions to this policy must be formally requested and approved according to the USNH Cybersecurity Exception Standard.
7. Roles and Responsibilities
- Application Administrators: Ensure all application accounts comply with this policy.
- Chief Information Officer (CIO) and Chief Information Security Officer (CISO): Enforce and review the policy annually.
- Enterprise Technology & Services (ET&S):
- Send password expiration notifications.
- Reset invalid or compromised passwords per the USNH Password Management Standard.
- Monitor USNH systems for signs of compromise.
- Provide support for USNH community members’ account and password-related questions.
- USNH Community Members:
- Comply with all password security requirements.
- Maintain the confidentiality of USNH passwords.
- Use unique passwords for every account.
- Report cybersecurity events or incidents such as a USNH password suddenly not working without being changed by its owner.
8. Definitions
Refer to the NIST Glossary at https://csrc.nist.gov/glossary/term/NIST
For questions, additional training, or policy violation reports, contact USNH Cybersecurity Governance, Risk, & Compliance (GRC) via the Support Form.
