1.1 This method statement describes the rules governing the management of the password associated with the University of York IT account, known as the ‘IT Services password’.
1.2 The aim of password management is to enhance information security by ensuring that passwords are strong and are used properly. It is established good practice to change passwords on a regular basis to reduce the risk of misuse if the password is stolen or otherwise compromised.
1.3 Password management rules are usually referred to as a ‘password policy’. The University may define and operate different password policies depending on the sensitivity of the information that is accessed by the user.
1.4 University/IT Services passwords must not be used elsewhere (eg for other third party systems) where not handled via an IDM.
2.1 The minimum requirement for all Staff and Associate Staff is that their IT Services password must be changed at least once per year. Some Staff and Associate Staff may need to change their passwords more frequently due to the sensitivity of the information they access.
2.2 Students are not required to change their passwords unless they are specifically required to do so due to the sensitivity of the information to which they have access.
2.3 New users are issued with a temporary password which can only be used to register their account. As part of the account registration process, the password must be changed. Until this has been done, a user cannot log in to any other IT facility.
2.4 For all users, a password must satisfy the following conditions to ensure a strong password is used:
It must not:
If your password is more than 20 characters long, we relax the restriction about requiring mixed case, special characters, and not containing dictionary words. This allows you to create complex but easy to remember passwords from four or more uncommon but memorable words.
2.5 When changing a password, the user is prevented from reusing the previous ten passwords used.
2.6 When a password has expired, the user has four weeks in which to change their password before their account is automatically disabled.
2.7 Where there are more stringent information handling requirements departments may define and operate different password policies for their users to specify more frequent password changes and/or a different email reminder frequency. Section 3 below illustrates three policies that are currently defined. Departments should seek policy and implementation advice from the Information Security Officer.
2.8 Policies which require passwords to be changed more than once a year may be applied at departmental level or to groups within departments, such as to a specific research group within a department. For example, staff within IT Services (a sub-group of the Corporate and Information Services) have a 90 day password changing policy due to the level of access to systems and information held by each user.
2.9 Where a user has more than one affiliation with the University, such as being a both a member of staff and a student or is a member of two departments, the more stringent password policy will apply to the user account.
2.10 Users will be required to change their password if their account is believed to have been compromised.
3.1 Staff and Associate Staff Policy A
This is the minimum policy and applies to all staff and associate staff unless a more stringent specific policy has been applied at the department or group level.
3.2 Staff Policy B
This policy might be applied in departments or research groups with access to sensitive research or personal data, eg Finance and IT Services.
3.3 Staff Policy C
This policy might be applied in research groups where there are requirements stipulated by funding bodies eg Department for Work and Pensions.
4.1 The Information Security Board, chaired by the Deputy Registrar, will monitor the effectiveness of this method statement and carry out regular reviews.
|27 November 2013||Approved by Information Policy Executive|
|02 December 2013||Approved by Information Security Board|
|12 August 2014||Ian Hall Updates to 3.1, 3.2 and 3.3 approved by Information Security Board|
|31 July 2019||Approved and reviewed by Information Security Board|
|10 January 2022||Updated password policy details|
Review cycle: Three yearly
Date of next review: July 2022