Standards: Password Standards

Distribution

Employee

Employee Finance

Employee Human Resources

Employee iSupport

Employee Star Port

Employee Technical

Ownership

The Information Security Director <e-mail> is responsible for ensuring that this document is necessary and that it reflects actual practice.

Picking a new password requires more thought these days as more powerful programs to break-in are being developed all the time. Your Single sign-on password needs to be a strong password because it protects much of your information. Following are guidelines and best practices for selecting and protecting your password. LCC’s password standards are that passwords should be a minimum of 8 characters with at least 1 alphabetic character and 1 numeric character. The password should be changed often and should never be given to friends, family or co-workers.

Choosing a Good Password

Strong passwords have the following characteristics:

Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
Note:Not all LCC systems accept all these characters. If you find that your new password does not work, you may need to remove the punctuation, or replace it with something else.
Are at least eight alphanumeric characters long.
Are not words in any language, slang, dialect, jargon, etc.
Are not based on personal information, names of family, etc.
Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

Avoiding a Bad Password

Poor, weak passwords have the following characteristics:

The password contains less than eight characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:

Names of family, pets, friends, co-workers, fantasy characters, etc.
Computer terms and names, commands, sites, companies, hardware, software.
The words "Lansing”, “Community”, “College", "redwings", "Michigan”, “State" or any derivation.
Birthdays and other personal information such as addresses and phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
Any of the above spelled backwards.
Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Do not use the same password for Lansing Community College accounts as for other non-Lansing Community College access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various Lansing Community College access needs. For example, select one password for the Departmental systems and a separate password for Oracle Star Port Single Sign-On systems. Do not share Lansing Community College passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential Lansing Community College information. LCC’s use of Single Sign-On technology requires greater protection by the user of their password, as that single password will allow access to many systems.

Here is a List of "Don'ts":

Don't reveal a password over the phone to ANYONE
Don't reveal a password in an email message
Don't reveal a password to the boss
Don't talk about a password in front of others
Don't hint at the format of a password (e.g., "my family name")
Don't reveal a password on questionnaires or security forms
Don't share a password with family members
Don't reveal a password to co-workers while on vacation

If someone demands a password, have them call the ISCD Help desk at (517) 483-5221.

Passwords should only be entered on known password entry screens. Become familiar with the screen that you enter a password into and verify that you are not using a fake login screen. Verify that your TUID single sign-on password is only entered within a web page that comes from ‘https://bonnie.lcc.edu:4443/pls/orasso/orasso.lccp_login.home’.

It is best practice to not use the "Remember Password" feature of applications, especially for shared or public computers (e.g., Eudora, Outlook, and Netscape Messenger).

Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption or separate password protection.

Change passwords at least once every six months (except system-level passwords which must be changed quarterly). The recommended change interval is every four months.

If an account or password is suspected to have been compromised, report the incident to abuse@lcc.edu and change all passwords.

Effective: 11/18/03

Revision: 1