Skip to Knowledge Base content

Digital Passwords Management Policy

The University of Windsor is in process of adopting a new policy that will define the minimum standards governing the format and management of passwords used to access electronic services and accounts associated with the University.

Usernames and passwords are used as the keys to authenticate and authorize access to electronic services and accounts provided to the University community that are not for use by the general public or by unauthorized users. Ensuring that the passwords used are strong and managed appropriately is a key requirement to preventing the inappropriate use of electronic resources.

This new policy describes minimum standards for password format and strength, sets requirements for password management over time, and defines actions that can be taken to protect accounts from suspected attack or unauthorized use. It applies to all University or affiliated services that use an authentication scheme that involves the use of a username, password, pin and / or access code, with mandatory applicability to any system that utilizes an account with a UWinID or a uwindsor.ca email address as a username.

This policy serves as the foundational password policy for the University community. Other systems may extend or strengthen the requirements described in this policy based on either additional capability or need for stronger security; however, systems may not weaken the requirements set forth in this Policy unless there are resource or other technical deficiencies that disallow its adoption.

Passwords must comply with the following minimum requirements:

Requirement

UWin Account Policy

Minimum Length

10 characters

Upper and Lower Case Characters

At least 1 upper case and at least 1 lower case character

Numbers / Digits

At least 1 numeric character

Special Characters

At least 1 special character (no restrictions)

Not Trivial or Easily Guessable

Password cannot match User ID or e-mail address

Password Expiration

120 days

Password Expiration Notification

(where possible based on application)

Initial = 30 days

Reminder #1 = 14 days

Reminder #2 = 7 days

Reminders #3-9 = daily reminders from 6 days before and up until day of expiry

Password History to be Maintained

10

Inactivity Timeout

20 minutes (enforced by the application)

Account Lockout Upon Failed Logins

5 failed logins in 5 minutes, locked for 10 minutes

Purge User Profiles

Disabled or removed as per IT Services procedures

For more information, please see Related Articles section on the right.

100% helpful - 1 review