Statement

WTAMU manages information system passwords shall be governed by a the following set of controls in addition to those defined in IA-5 Authenticator Management.

Applicability

This Control applies to all West Texas A&M network information resources. The intended audience for this Control includes all information resource owners, custodians, and users of information resources.

Implementation

Management of passwords shall include:

• IT shall implement technologies that maintain a list of commonly- used, and compromised passwords.  This technology shall:
  • Automatically update its list for newly compromised passwords.
  • Alert IT staff if a user’s password matches a compromised password, any password identified shall be changed
  • Prevent users from selecting passwords already on the list.
• IT shall also maintain a list of words or phrases associated with the University which are not allowed to be used as passwords.  These include but are not limited to: buffs, buffaloes, maroon, west, Texas
• Passwords that must be transmitted shall be encrypted.
  • Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt provided it is a one-time transmission, and the user must also change the password upon first logon.

• All passwords shall be set to expire every 2 years
• Passwords should be stored as hashes instead of plain text passwords.
• All passwords should comply with the following complexity requirements:
  • Contains at least eight (12) characters.
  • Contains at least one of each the follow:
    • Uppercase letters (A, B, C).
    • Lowercase letters (a, b, c).
    • Numerals (1, 2, 3).
  • Is not one of your ten (10) previously used passwords.
  • Passwords also cannot contain:
    • Ampersands (&), angle brackets (< >) or non-English characters.
    • Significant portions of your account name or full name.