Password Control

Purpose

To prevent unauthorized access to University of Houston corporate computer systems.

Scope

For use with all systems which have passwords in the user identification process.

Standard

The Information Security Administrator (ISO) shall establish a sound policy of password control and violation reporting.

Guidelines
  1. Passwords are to be assigned to the individual employee or issued on an individual employee basis if computerized records are being accessed as part of their responsibility.
  2. Distribution of passwords should be handled with the strictest confidentiality.
  3. Passwords shall be changed on a regular basis (at least once every 60 days).
  4. Passwords which are obvious, such as nicknames and dates of birth, should not be allowable.
  5. Passwords should never be shared with another user. Employees are formally notified as to their role in protecting the security of the user ID. and password. Counter accounts, for view only, are an exception to this rule.
  6. Passwords shall have a minimum length of eight characters.
  7. When possible, passwords should contain upper and lower case letters, numbers and special characters
  8. Passwords stored on a computer should be encrypted in storage.
  9. System software should enforce the changing of passwords and the minimum length and format.
  10. The non-printing, password-suppression feature should be used on all terminals to prevent the display of a user ID or password at log-on.
  11. System software should disable the user identification code if more than three consecutive invalid passwords are given.
  12. System software should maintain a history of at least two previous passwords and prevent their reuse.
  13. Procedures for forgotten passwords should require that the user be personally identified by Support Services.