Skip to main content

Password Standard

Policy Number: 1.11.1.1.2
Category: Acceptable Use of Technology
Effective: August 16, 2022
Revision History: Originally effective July 15, 2019
Review Date: August 15, 2025

  1. Purpose, Scope, and Responsibilities

    1. Pursuant to the Identity and Access Management Policy, passwords are the primary means of protecting access to University Information Systems; therefore, it is imperative that passwords are strongly constructed and used in a manner to prevent account compromise.
    2. The purpose of this Standard is to establish the minimum requirements for passwords used to access University Information Systems to reduce the risk of Unauthorized Access to University technology resources and data. This Standard is based on requirements of NIST 800-63b: Digital Identity Guidelines.
    3. This Standard applies to all University Accounts accessing the Campus Network or a University Information System. This use may include, but is not limited to: personal devices, laptops, University-Owned devices, information systems, and servers. This Standard applies to both departmental and centrally-managed resources. When these password standards are technically infeasible, application owner must contact ITS to request an exception. See Identity and Authentication Management Standard for list of University Accounts.
    4. The Chief Information Officer (“CIO”), supported by the Chief Information Security Officer (“CISO”), is responsible for implementation and enforcement of this Standard.
    5. Identity and Access Management (“IAM”) is responsible for managing the systems that allow Organizational Users to claim their University Account (“WVU Login”) and update passwords and for ensuring that all passwords for University Accounts meet the minimum requirements. IAM will notify all University Account Owners via email fifteen (15) days prior to their WVU Login password expiring.
  2. Password Management

    1. Passwords used for all University Accounts must be strong, preferably passphrases that are at least 12 characters long or randomly generated passwords. Specific password requirements for each type of University Account can be found in Appendix A.
    2. Passwords for all WVU Login Accounts must never include the following:
      1. Three (3) consecutive characters from the first name, middle name, last name or username.
      2. Blank spaces.
      3. Special character sequences such as //.
      4. Personal or financial information such as Social Security or credit card numbers.
    3. Pursuant to the Acceptable Use of Data and Technology Resources, passwords must never be left in a location, along with the username, that can be readily obtained and utilized by another individual to Authenticate to a University Information System.
    4. To prevent compromise of Credentials, never use the same password for multiple University Accounts and/or personal accounts. This includes using same password for the same account in separate instances (e.g., dev, test, prod) of a University Information System or the same password for multiple accounts across the same instance.
    5. Never share a password with anyone in any way (e.g., email, phone call, electronically via the Internet) including managers, co-workers, assistants, family members, friends, or the ITS/HSCITS Help Desk.
    6. Password change requirements can be found in Appendix A; however, if a password to any University Account is suspected to have been Compromised, it must be changed immediately, and the incident reported to Information Technology Services using the WVU Computer Security and Privacy Incident Reporting Form.
  3. System Administration & Development

    1. Use of default passwords for Administrative Accounts is prohibited.
    2. WVU Login Credentials must be used for Authentication. Local accounts should only be used for Authentication when use of EDS is technically not possible.
    3. University Information Systems must automatically lock after no more than eight (8) unsuccessful, consecutive logon attempts to deter Brute Force Attacks.
    4. Avoid storing WVU Login and Personal Administrative Account credentials in University Information Systems not meant to store passwords.
    5. Do not store personal account credentials (e.g., utility account, bank account) in the University’s password management tools (e.g., BeyondTrust, LastPass).
    6. University Information Systems must support unique user accounts and passwords so that individuals do not share a username and/or password to access an application unless using a Shared Application Account.
    7. Passwords must never be stored electronically in plain text such as in a document, spreadsheet, or .txt file.
    8. Passwords must be protected in transit using industry-standard cryptographic protections.
    9. Passwords must be hidden by default during login process.
    10. Users are prohibited from re-using the last five (5) passwords previously used and the same password must not be reused within a year.
    11. Temporary passwords must be set to change upon first logon.
    12. Uniform responses must be provided for failed login attempts. Simple error messages such as “Access Denied” should display for a limited time before obscuring it.
    13. Failed attempts must be logged unless such action results in the display of the failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect logs and report any irregularities or compromises to Information Technology Services.
    14. Log files must never contain password information.
    15. Passwords of Compromised accounts must be reset in a timely manner or require users to reset their own passwords in situations where continued use of a password creates risk of unauthorized access to the computing account or resource.
  4. Exceptions

    1. University Police Department employees are required to change their passwords every 90 days.
    2. Specialize devices (e.g., public access kiosks) that are granted an exception from utilizing a password must implement restricted permissions that are separate from administrative accounts.
    3. University Information Systems that are granted an exception to use local accounts for Authentication must change password every 180 days or as personnel changes occur.
    4. Passwords for Shared Application Accounts are designed to be shared with multiple people.
    5. Passwords for accounts that are created and managed by a vendor for which WVU has access to password but no ability to update passwords must be stored within a WVU-managed Password Vault.
  5. Definitions

    1. “Authenticate” means verification of the identity of a user, process, or device that is requesting access to a University Information System.
    2. “Brute Force Attacks” means trial-and-error method used to obtain desired information such as user passwords.
    3. “Compromised” means an account that has been maliciously broken into and could be used by an unauthorized individual for nefarious reasons.
    4. “Organizational Users” means an employee, students, or individual the University deems to have equivalent status of an employee or student including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
    5. “Password Vault” means a software program that keeps a number of passwords in a secure digital location that are accessed using a single master password. Also called Password Manager (e.g., LastPass).
    6. “Privileged Access Manager” means a tool that provides secure privileged access to critical assets (e.g., BeyondTrust).
    7. “University Account” means the digital identity of an Organizational User. It is comprised of a unique ID number (“WVUID”), Credentials (“WVU Login”), and an email address.
    8. “University Information System” means an information system or device that is on the campus network, requires Authentication, and is used at the University to support the academic, administrative, research, and outreach activities of the University such as O365, eCampus, STAR, MAP, and University-owned devices.

Related Documents

Appendix A – Password Requirements

Account Password Length Character Required Password Change Required Credential Management Tool
WVU Login Account 12-20 characters 1 Upper case
1 Lower case
1 Numeric
Annually Limited to the individual
Personal Administrative Account Minimum of 64 characters 1 Upper case
1 Lower case
1 Numeric
1 Special character
Annually Privileged Access Management Tool
Local Administrative Account Minimum of 12 characters, if technically possible 1 Upper case
1 Lower case
1 Numeric
1 Special character
Annually Limited to the individual
Emergency Access Account Minimum of 64 characters 1 Upper case
1 Lower case
1 Numeric
1 Special character
Never or only after use Password Vault
Service Account Minimum of 64 characters 1 Upper case
1 Lower case
1 Numeric
1 Special character
Every 3 years Password Vault
Shared Application Account with Privileged Access 16-32 characters 1 Upper case
1 Lower case
1 Numeric
1 Special character
Every time account is checked out Privileged Access Management Tool
Shared Application Account with non-privileged access 16-32 characters 1 Upper case
1 Lower case
1 Numeric
1 Special character
Annually Password Vault

Connect With Us

Service Desk Hours and Contact

Service Desk Hours

Monday – Friday: 7:30 a.m. – 8 p.m.
Saturday and Sunday: Noon – 8 p.m.

Closed on official University holidays.

Contact Us

Information Technology Services
One Waterfront Place
Morgantown, WV 26506

(304) 293-4444 | 1 (877) 327-9260
ITSHelp@mail.wvu.edu

Get Help

Maintenance Schedule

To function effectively and securely, applications and the systems that support them must undergo regularly planned maintenance and updates.

See Schedule