This policy defines the framework for the creation, use, and management of passwords used to access Lycoming College Information Technology systems. This password policy is an integral component of Information Security practice across the College in protecting its information and technology assets.
This policy applies to all members of the Lycoming College community, which includes, but is not limited to, full and part-time employees, temporary employees, students, visitors, volunteers, third parties, contractors, and consultants (collectively known as “users”) who have access to, support, administer, manage, or maintain Lycoming College information technology assets.
Passwords are an integral component of Information Security practice across the College in protecting its information and technology assets. Users are provided access to systems and information as required by their role at the College. Passwords are the first line of protection to those systems and information. Therefore, all Lycoming College users are responsible to protect and manage the risk associated with the potential compromise of their password. Some users with elevated risk exposure will be required to further manage this risk with multifactor authentication.
Users must never share their username and password with anyone for any reason.
Access to all systems must be controlled by an authentication method involving a Username/Password combination to verify the identity of each user. In certain circumstances, users will be required to maintain multifactor authentication (Factor 1 - knowledge, Factor 2 - possession).
Approved by the Information Technology Committee on 3/7/2018
- Initial Passwords — are provided by Information Technology Services.
- Password Age — will expire every 365 days.
- Password History — on the last 3 passwords to prevent reuse.
- Password Length — is a minimum of 12 characters in length. Password phrases are strongly encouraged.
- Password Storage — must never be in clear text (e.g. Notepad, Excel, or Word files); hard coded; or written down on paper. ITS suggests the use of the LastPass password manager to generate, store, and organize a user's credentials (www.lastpass.com).
- Account Lockout — occurs after 10 unsuccessful login attempts. Self-Service recovery is available at passwordreset.lycoming.edu
- Multifactor Authentication — is available upon request via email@example.com. The user requires a supported mobile device with the Microsoft Authenticator app installed.
Approved by the President’s Administrative Cabinet on 3/19/2018
Last Reviewed: 3/7/2018