Aerial view of campus with Williamsport, the Susquehanna River and Bald Eagle Mountain as a backdrop

Password Policy


This policy defines the framework for the creation, use, and management of passwords used to access Lycoming College Information Technology systems. This password policy is an integral component of Information Security practice across the College in protecting its information and technology assets.

Applies To

This policy applies to all members of the Lycoming College community, which includes, but is not limited to, full and part-time employees, temporary employees, students, visitors, volunteers, third parties, contractors, and consultants (collectively known as “users”) who have access to, support, administer, manage, or maintain Lycoming College information technology assets.

Policy Statement

Passwords are an integral component of Information Security practice across the College in protecting its information and technology assets. Users are provided access to systems and information as required by their role at the College. Passwords are the first line of protection to those systems and information. Therefore, all Lycoming College users are responsible to protect and manage the risk associated with the potential compromise of their password. Some users with elevated risk exposure will be required to further manage this risk with multifactor authentication.

Users must never share their username and password with anyone for any reason.

Access Control

Access to all systems must be controlled by an authentication method involving a Username/Password combination to verify the identity of each user. In certain circumstances, users will be required to maintain multifactor authentication (Factor 1 - knowledge, Factor 2 - possession).

Password Management

  • Initial Passwords — are provided by Information Technology Services.
  • Password Age — will expire every 365 days.
  • Password History — on the last 3 passwords to prevent reuse.
  • Password Length — is a minimum of 12 characters in length. Password phrases are strongly encouraged.
  • Password Storage — must never be in clear text (e.g. Notepad, Excel, or Word files); hard coded; or written down on paper. ITS suggests the use of the LastPass password manager to generate, store, and organize a user's credentials (
  • Account Lockout — occurs after 10 unsuccessful login attempts. Self-Service recovery is available at
  • Multifactor Authentication — is available upon request via The user requires a supported mobile device with the Microsoft Authenticator app installed.
Approved by the Information Technology Committee on 3/7/2018
Approved by the President’s Administrative Cabinet on 3/19/2018
Last Reviewed: 3/7/2018