Aerial view of campus with Williamsport, the Susquehanna River and Bald Eagle Mountain as a backdrop

Password Policy

Purpose

This policy defines the framework for the creation, use, and management of passwords used to access Lycoming College Information Technology systems. This password policy is an integral component of Information Security practice across the College in protecting its information and technology assets.

Applies To

This policy applies to all members of the Lycoming College community, which includes, but is not limited to, full and part-time employees, temporary employees, students, visitors, volunteers, third parties, contractors, and consultants (collectively known as “users”) who have access to, support, administer, manage, or maintain Lycoming College information technology assets.

Policy Statement

Passwords are an integral component of Information Security practice across the College in protecting its information and technology assets. Users are provided access to systems and information as required by their role at the College. Passwords are the first line of protection to those systems and information. Therefore, all Lycoming College users are responsible to protect and manage the risk associated with the potential compromise of their password. Some users with elevated risk exposure will be required to further manage this risk with multifactor authentication.

Users must never share their username and password with anyone for any reason.

Access Control

Access to all systems must be controlled by an authentication method involving a Username/Password combination to verify the identity of each user. In certain circumstances, users will be required to maintain multifactor authentication (Factor 1 - knowledge, Factor 2 - possession).

Password Management

  • Initial Passwords — are provided by Information Technology Services.
  • Password Age — will expire every 365 days.
  • Password History — on the last 3 passwords to prevent reuse.
  • Password Length — is a minimum of 12 characters in length. Password phrases are strongly encouraged.
  • Password Storage — must never be in clear text (e.g. Notepad, Excel, or Word files); hard coded; or written down on paper. ITS suggests the use of the LastPass password manager to generate, store, and organize a user's credentials (www.lastpass.com).
  • Account Lockout — occurs after 3 unsuccessful login attempts. Self-Service recovery is available at www.lycoming.edu/its under “Manage Password”.
  • Multifactor Authentication — is required for all user accounts through the Microsoft Authenticator app on a mobile device. Any questions should be directed to the IT Service Center at 570-321-4150 or it.servicecenter@lycoming.edu.
Approved by the Information Technology Committee on 3/7/2018
Approved by the President’s Administrative Cabinet on 3/19/2018
Last Reviewed: 3/6/2024