Password Policy
Standard User Accounts
User accounts (unique login id, password and job specific system permissions) are assigned directly to users with a need to access various SDSU Research Foundation (Research Foundation) systems. Accounts are created for an individual and are for the use of that individual only. Use of userid and passwords in Research Foundation systems is the equivalent of a wet ink signature on paper. Users are responsible for all use of their assigned account(s).
Passwords are assigned to individual users for exclusive use only and should not be shared with, or delegated to, others. Only the assigned user must know the password to their assigned account. Managers should ensure that users are not asked to reveal their personal passwords, unless it becomes necessary as explained below.
While passwords are intended to keep files and records confidential and to restrict access to certain files and records, employees should not conclude that a password is intended to provide them with an expectation that their computers, e-mails, files, etc. are private and may contain personal information that authorized Research Foundation personnel will not access. On the contrary, all computers, e-mail accounts, voicemail accounts, files, etc. are the property of the Research Foundation and should only be used for business purposes and may be accessed by authorized Research Foundation personnel for authorized business purposes at any time.
Accessing Other User's Account or Information
There are often legitimate operational needs to delegate authority (back-up coverage, extended absence coverage, shared workloads, etc.) to individual accounts and files. Supervisors and their employees should work with the appropriate system administrator to coordinate system permission updates that meet business needs while also protecting the privacy of user password(s).
- Utilize an application’s (Google mail and calendar, etc.) built in functionality to assign delegate permissions. This will allow designated individuals to access your files, but using their own unique user id and password.
- Where system privileges and delegate controls are not directly available to the user (MyRF, Workforce, iCIMS, etc.), users must coordinate with their supervisor to follow existing procedures to request a new account for the delegate or to have the permissions on the designated delegate’s existing account updated.
- If there is a need to access and/or control a terminated or otherwise indisposed individual’s accounts or files, the manager or supervisor may provide a written request to the appropriate system administrator to reset the password of the account being accessed, so that the employee to whom the account belongs will know that it has been accessed.
On occasion, it may be necessary for users to provide their passwords to a member of SDSURF management or to our IT department. For example, it may become necessary for SDSURF to access an individual’s accounts or files as part of an investigation of improper or inappropriate activity, or due to a report of infractions of SDSURF policies, or because the employee is absent from work and we need the information contained in those records, or for another legitimate business need. Such access should be approved in advance by the SDSURF Director of Human Resources or by the Chief Financial Officer. Additionally, users should immediately provide their passwords when requested by the Research Foundation’s Chief Human Resources Officer, or designee. Additionally, users should immediately provide their passwords when requested by the Research Foundation’s Director of Human Resources, Chief Financial Officer, the Chief Executive Officer, and/or Chief Information Officer. Users also should immediately provide passwords when requested by campus police.
Secure Account Usage / Password Protection Standards
Passwords are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the Research Foundation’s entire organizational network. As such, all Research Foundation personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any SDSURF facility, has access to the SDSURF network, or stores any non-public information (including contractors and vendors with access to SDSURF systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
- Do not share passwords. All users are responsible for keeping their password confidential. Accounts created for an individual are for the use of that individual only. Users are responsible for any use of their assigned account(s).
- Use different passwords for different systems (e.g. e-mail, Employee Gateway, MyRF, Workforce, etc.) and do not use the same password(s) for both business and personal applications.
- Never use the “remember me on this computer” feature of any applications.
- Do not embed passwords into software code.
- Change passwords often, at least once every six months (or semester).
- Change password immediately if it is suspected to have been compromised and report the incident to your supervisor or IT support personnel immediately.
- Do not re-use passwords.
- Passwords must never be stored in a file on ANY computer system (including mobile phones, laptops, PDA’s, etc.) without encryption. Passwords should not be written down. However, if it is necessary, the password should not be written or stored with the userid or application name and must be secured in a locked drawer. Try to create passwords that can be easily remembered. Refer to the General Password Construction Guidelines below.
- Do not disclose passwords to any party or including passwords in documentation.
- Consider using a password manager (e.g. Lastpass, Dashlane, Keepass, 1Password) that allows you to manage and generate passwords.
General Passphrase Construction Guidelines
Strong passphrases should be selected that are hard for an attacker to guess or crack, and yet are easy to remember without having to write down. Strong passwords combine both length and different types of symbols. Use the entire keyboard to create strong passwords:
- Complexity. The greater the variety of characters in the password, the harder it is to guess or crack. Passwords should contain at least three of the following four classes of character types:
- Upper case characters (e.g. A-Z)
- Lower case characters (e.g. a-z)
- Numeric digits
- Symbols, including punctuation and other special characters such as (, !@#$%^&*( )_+|~-=\`{}[]:";'?,./) . Please note that when using symbols in a password, users should be aware of any special functions that the application they are logging into uses. For instance, when creating passwords for Banner/Oracle, the following characters should be avoided: : @ $ & " ( ) , ` ; = # blank_space / \ ^ ~ * | ? [ ]
- Length. Each character you add to your password increases the protection it provides. Passwords should be at a minimum of ten, but ideally 14 or more alphanumeric characters long.
- Be unpredictable. A strong passphrase is a random combination of words that are meaningless together.
- Easy to remember. Writing passwords down or storing in computer files increases the risk of compromise. To help you create strong passwords that can be easily remembered, try thinking of a sentence, affirmation or other phrase that you will remember to use as the basis of your password or passphrase.
- For example, take the phrase “My son Aiden is three years old.” This could be converted to a strong password by using the first letter of each word to create a string, in this case “msai3YRSO!”. Notice that the password contains upper and lower case characters, numbers and punctuation, is at least ten characters in length and is easy to remember, making it a strong password. Another variation of the same sentence that is more complex could be “MisunAid_iz3YRS-0ld!”.
- Another good example is the phrase “James likes cake and bacon and cheese without holes”.” which could become the passphrase ”JLc+B+c-h!”
- Any users responsible for managing administrative accounts must comply the policies and standards outlined in the Integrated CSU Administrative Manual.
Passwords should not contain the following, which are characteristics of poor and weak passwords:
- Words in any dictionary (English or foreign), spelled forward or backwards. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, profanity, and substitutions.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Words or numbers that are based on personal information: login names, names of family members, pets, friends, co-workers, fantasy characters, birthday, anniversary dates, license plates, phone numbers, etc. This type of information is one of the first things criminals will try, and they can often find it easily online from social networking sites, online resumes, and other public sources of information.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Updated January 2023
* Note: Documents in Portable Document format (PDF) require Adobe Acrobat Reader 9.0 or higher to view. Download Adobe Acrobat Reader