The University of Windsor's Digital Passwords Management Policy defines the minimum standards governing the format and management of passwords used to access electronic services and accounts associated with the University.
Usernames and passwords are used as the keys to authenticate and authorize access to electronic services and accounts provided to the University community that are not for use by the general public or by unauthorized users. Ensuring that the passwords used are strong and managed appropriately is a key requirement to preventing the inappropriate use of electronic resources.
This policy describes minimum standards for password format and strength, sets requirements for password management over time, and defines actions that can be taken to protect accounts from suspected attack or unauthorized use. It applies to all University or affiliated services that use an authentication scheme that involves the use of a username, password, pin and / or access code, with mandatory applicability to any system that utilizes an account with a UWinID or a uwindsor.ca email address as a username.
This policy serves as the foundational password policy for the University community. Other systems may extend or strengthen the requirements described in this policy based on either additional capability or need for stronger security; however, systems may not weaken the requirements set forth in this Policy unless there are resource or other technical deficiencies that disallow its adoption.
Passwords must comply with the following minimum requirements:
|
Requirement
|
UWin Account Policy
|
|
Minimum Length
|
10 characters
|
|
Upper and Lower Case Characters
|
At least 1 upper case and at least 1 lower case character
|
|
Numbers / Digits
|
At least 1 numeric character
|
|
Special Characters
|
At least 1 special character (no restrictions)
|
|
Not Trivial or Easily Guessable
|
Password cannot match User ID or e-mail address
|
|
Password Expiration
|
365 days
|
|
Password Expiration Notification
(where possible based on application)
|
Initial = 30 days
Reminder #1 = 14 days
Reminder #2 = 7 days
Reminders #3-9 = daily reminders from 6 days before and up until day of expiry
|
|
Password History to be Maintained
|
10
|
|
Inactivity Timeout
|
20 minutes (enforced by the application)
|
|
Account Lockout Upon Failed Logins
|
5 failed logins in 5 minutes, locked for 10 minutes
|
|
Purge User Profiles
|
Disabled or removed as per IT Services procedures
|
For more information, please see Related Articles section on the right.