Skip to main content

Password Standard

Policy Number: IT.1.1.2S
Category: Acceptable Use of Technology
Effective: July 15, 2019
Revision History:
None
Review Date:
July 14, 2022

  1. Purpose, Scope, and Responsibilities

    1. Pursuant to the Identity and Access Management Policy, passwords are the primary means of protecting access to University Information Systems; therefore, it is imperative that passwords are strongly constructed and used in a manner to prevent account compromise.
    2. The purpose of this Standard is to establish the minimum requirements for passwords used to access University Information Systems to reduce the risk of Unauthorized Access to University technology resources and data.
    3. This Standard applies to all individuals accessing the Campus Network or a University Information System. This use may include, but is not limited to: personal devices, laptops, University-Owned devices, information systems, and servers. This Standard applies to both departmental and centrally-managed resources. When these password standards are technically infeasible, application owner must contact ITS to request an exception.
    4. The Chief Information Security Officer is responsible for implementation and enforcement of this Standard. Identity and Access Management (“IAM”) is responsible for managing the systems that allow Organizational Users to claim their University Account (“WVU Login”) and update their password and for ensuring that all WVU Login passwords meet the minimum requirements. IAM will notify all University Account Owners via email fifteen (15) days prior to their WVU Login password expiring.
  2. Password Composition

    1. All passwords must be strong passwords and include the following:
      1. A minimum of eight (8) and maximum of twenty (20) characters.
      2. At least 1 uppercase letter
      3. At least 1 lowercase letter
      4. At least 1 numeric character
    2. Passwords must never include the following:
      1. Three (3) consecutive characters from the first name, middle name, last name or username.
      2. Blank spaces.
      3. Special character sequences such as //.
      4. Personal or financial information such as Social Security or credit card numbers.
    3. The use of special characters (e.g., / ! ^ ? : . [ ] { } ~ - _;) is not required but is highly recommended.
  3. Password Management

    1. Passwords must be changed at minimum one time per year; however, an individual may change their password at any time provided the password is:
      1. Different than the previous five (5) passwords used; and,
      2. Not used more than one (1) time per 12-month period.
    2. Passwords must be changed if an account is Compromised.
    3. Pursuant to the Acceptable Use of Data and Technology Resources, passwords must never be left in a location, along with the username, that can be readily obtained and utilized by another individual to Authenticate to a University Information System.
    4. To prevent compromise of credentials, never use the same password for a WVU Login account and a personal account.
    5. Never share a password with anyone in any way (e.g., email, phone call, electronically via the Internet) including managers, co-workers, assistants, family members, friends, or the ITS/HSCITS Help Desk.
    6. If a password is suspected to have been compromised, it must be changed immediately, and the incident reported to Information Technology Services at 304-293-4444 or defendyourdata@mail.wvu.edu.
  4. System Administration & Development

    1. Use of default passwords for administrative accounts is prohibited.
    2. WVU Login credentials must be used for administration Authentication instead of creating local accounts.
    3. University Information Systems must automatically lock after eight (8) unsuccessful, consecutive logon attempts to deter Brute Force Attacks.
    4. Avoid storing passwords in University Information Systems.
    5. University Information Systems must support unique user accounts and passwords so that individuals do not share a username and/or password to access the application.
    6. Passwords must be protected in storage and transit using cryptographic protections.
    7. Third-party management solutions (e.g., KeyPass) should contain multi-tiered accounts for continuity purposes.
    8. Passwords must be hidden during login process.
    9. Maximum passwords history of five (5) is allowed with no re-use of passwords for 366 days.
    10. Temporary passwords must be set to change upon first logon.
    11. Uniform responses must be provided for failed login attempts. Simple error messages such as “Access Denied” should display for a limited time before obscuring it.
    12. Failed attempts must be logged, unless such action results in the display of the failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect logs and report any irregularities or compromises to Information Technology Services.
    13. Log files must never contain password information.
    14. Passwords of compromised accounts must be reset in a timely manner or require users to reset their own passwords in situations where continued use of a password creates risk of unauthorized access to the computing account or resource.
  5. Exceptions

    1. University Police Department employees are required by law to change their passwords every 90 days.
    2. Specialize devices (e.g., public access kiosks) that are granted an exception from utilizing a password must implement restricted permissions that are separate from administrative accounts.
    3. University Information Systems that are granted an exception to use local accounts for Authentication must change password every 180 days or as personnel changes occur.
  6. Definitions

    1. “Authenticate” means verification of the identity of a user, process, or device that is requesting access to a University Information System.
    2. “Brute Force Attacks” means trial-and-error method used to obtain desired information such as user passwords.
    3. “Compromised” means an account that has been maliciously broken into and could be used by an unauthorized individual for nefarious reasons.
    4. “Organizational Users” means an employee, students, or individual the University deems to have equivalent status of an employee or student including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
    5. “University Account” means the digital identity of an Organizational User. It is comprised of a unique ID number (“WVUID”), Credentials (“WVU Login”), and an email address.
    6. “University Information System” means an information system or device that is on the campus network, requires Authentication, and is used at the University to support the academic, administrative, research, and outreach activities of the University such as O365, eCampus, STAR, MAP, and University-owned devices.

Contact Service Desk

Summer Business Hours
Monday through Friday - 7:30 a.m. to 5 p.m.
Saturday and Sunday - 10 a.m. to 5 p.m.
Closed on most WVU Holidays.

Phone: (304) 293-4444 | 1 (877) 327-9260
Email: ITShelp@mail.wvu.edu

Get Help