Passwords are integral to provide a mechanism for protecting user accounts. The purpose of these guidelines are to provide a structure for passwords to remain reasonably secure.
- Passwords should not be based on personal information such as social security number, identification number or date of birth.
- Passwords should not contain any part of the owner's name or UCID.
- Passwords should not be based on proper names, titles, product names, or geographic locations.
- Passwords should not contain the name or abbreviation of a department, or an NJIT course.
- Passwords should not contain a telephone number.
- Passwords are to be at least 8 characters in length.
- Passwords are to contain at least 5 letters, in any combination of upper and lower case.
- Passwords are to contain at least 2 numeric characters.
- Passwords are not to contain the string "NJIT", in any combination of upper or lower case.
- Passwords are to contain at least 1 printable special character (e.g., ! $ @ ^).
- New passwords are to differ from old passwords by at least 3 characters.
- Passwords for individual accounts are to be valid for at most 120 days, expiring automatically.
- The same password is not be reused for a period of at least 24 months.
The use of passwords is outlined in NJIT's Acceptable Use Policy for Cyber Resources section on Account Security. The following is a reiteration of key points with additional guidelines warranted by advances in technology.
- Passwords are to be considered private and users are responsible for taking reasonable measures to ensure their security.
- Passwords are not to be shared with others.
- Passwords are not to be written down or electronically stored in public or accessible places.
- The "remember password" feature is not to be used, and where possible, disabled on University-owned computing systems.
Password Protection Guidelines for System Account Administrators
A System Account Administrator is a person or group who is responsible for the creation and maintenance of user accounts for any system requiring such accounts. This also includes persons who have the ability to create local user accounts on networked workstations. System Account Administrators should follow these guidelines when administering user accounts.
- The accounts shall adhere to the guidelines set forth earlier in the Structure and Creation sections.
- Logon attempts including successes and failures are to be logged or audited.
- Account locking for failed logon attempts is to be implemented. That is, if the number of failed authentication attempts passes a given threshold, access to the account is to be prevented for a specified period of time.
- Failed logon attempts will be tracked for at least a 30-minute period.
- The account will be locked: a) if there are 5 or more failed logon attempts within a 30-minute tracking period, for systems capable of 30 minute tracking granularity, or b) if there are 5 or more consecutive failed logon attempts, for systems not capable of 30-minute tracking granularity.
- The account will automatically unlock 30 minutes after it is locked.
- Locking events will be logged or audited noting the originating workstation identification.
- Newly created user accounts are to be audited for use. Any new account which has not been used for a period of 120 days from creation is to be disabled by setting the account password to a unique string the size of the largest password supported by the system, or by other mechanisms, until a password change is requested.
- Aged accounts, or user accounts for persons who have left NJIT, are to be disabled immediately upon the person's disassociation with the University and are to be marked in some manner as to show that deletion is pending.
- Regular account maintenance is to be done each semester. Accounts which have been marked for pending deletion are to be archived and removed from the system during this maintenance.