Profile
Authentication - whether via passwords alone or supplemented by a second factor (smart phone/tablet app or physical token) - is an important protection for University systems and services. The purpose of this policy is to document existing practices at SUNY New Paltz, manage the risk associated with inappropriate or unauthorized access to systems, and to ensure both new and existing systems follow these rules. It also provides rules for what should, and what should not, be done with passwords for systems and services maintained by SUNY New Paltz.
This policy is based on guidance from NIST (National Institute of Standards and Technology) guidance, specifically Special Publication 800-63b - Digital Identity Guidelines, as well as the SUNY Identification and Authentication Policy.
Scope
This policy is applicable to all current University staff, faculty, or administrators, and students. It has special restrictions for Information Technology Services staff who are responsible for technology systems at the University.
Policy
Password Complexity
The minimum password length for both internally and externally hosted services is 14 characters. Passwords, or portions of passwords, may be checked against lists of bad passwords (those commonly used) before being set. Passwords which are found to contain insecure portions will be rejected.
Requirements for members of the University community
It is the responsibility of all members of the University community, including faculty, staff, students, alumni, applicants, and affiliates, to safeguard their passwords for New Paltz computer systems.
- In general we recommend against writing down passwords. If you have a need to write a password down - such passwords should be kept in a secure location such as a locked desk drawer. Storing passwords in unlocked locations is prohibited.
- Your New Paltz password should be different than your password for other systems unrelated with SUNY New Paltz. The use of password managers (which can be used to store unique per-system passwords) can assist users in having unique per-site passwords.
- Passwords are for an individual person (faculty, staff, student, alumni, applicant, etc.) only. Passwords must not be shared with others - including with an employee's supervisor, direct reports, coworkers, Information Technology Services staff, family, friends, etc. If there is a special situation such as a system that does not allow multiple user accounts - please contact the Information Security Officer (via informationsecurity@newpaltz.edu) for approvals and if needed, compensating controls.
- If you suspect that your password has been compromised or shared, please change your password immediately via my.newpaltz.edu.
For recommendations on coming up with easy to remember but hard to guess passwords, see the following article:
Password/Passphrase Guidance - selecting AND remembering strong passphrases
Requirements for Information Technology Services staff - including IT staff working for the Library
- Any identity source such as Active Directory should have a password policy set with a minimum of 15 characters. Maximum password lengths should be high or not arbitrarily limited - allowing users of password managers to generate long and complex passwords.
- Passwords should be stored in non-reversible hashes of sufficient cryptographic strength. They should not be stored in clear text, or using any form of reversible encryption.
- Systems that provide access to sensitive information, or or otherwise at high risk of being targeted, should be protected by multi-factor authentication through Microsoft MFA, Duo (or a similar service upon approval by the ISO).
- Any default passwords (such as those set initially by a vendor or software package) should be changed as soon as is possible after system /service setup.
- When a user is setting passwords (via my.newpaltz.edu) they should be checked against lists of bad/common passwords (including password fragments) to reduce the risk of weak passwords.
Requirements for internal and external services
- All new internal and external services provided by or on behalf of the University should be setup to authenticate against the University's main identity provider (Microsoft Azure) via Single-Sign On (SSO).
- Existing services which are not setup for SSO through this may temporarily be grandfathered in for a period of time after this policy goes into effect.
- Exemptions for services only accessible to a small number of users (<25) may be granted. Requests for exemptions may be made to the Information Security Officer or Chief Information Officer.
Password auditing and review
- Information Technology Services staff should never have the ability to determine your password. Passwords should be stored via non-reversible encryption methods.
- We reserve the right to audit passwords using various techniques to look for weak passwords. Users identified as having weak passwords will be required to update their password via my.newpaltz.edu.
- We reserve the right to require a password change when we learn of a third-party data breach, particularly when we have been able to identify users of those services. This is due to the prevalence of password reuse across systems despite policy to the contrary.
- If an account is detected or suspected of being compromised, Information Technology Services reserves the right to lock the account until the user can reset their password.
- When the password policies are updated, Information Technology Services reserves the right to require password changes for existing users. This is to keep legacy passwords (from before the password complexity/length changes) from being kept active.