Username and Password Policy

Executive Summary

Clemson University is highly diversified in the information that it collects and maintains on its community members. It is the university’s responsibility to be a good steward and custodian of the information that it has been entrusted, which must be upheld by all members of the university. While Usernames will be considered public information, their corresponding passwords are the first line of defense of providing for computer and information security at Clemson University. It is first the individual’s responsibility to maintain the security of their password while maintaining a certain level of complexity within that password as not to allow for breeches of that Username. Usernames and password management is a significant part of our overall solution to improve security within Clemson University. The overall protection of the data assets must begin with the individual who has access to them. 

This policy outlines how Usernames will be created and how a user will be required to choose a password that is considered to be strong given best practices as they exist currently. Additional requirements outlined in this policy will be creation of default passwords, changing of passwords, and resetting of passwords.  Each user of computing resources at Clemson University is expected to adhere to this policy, both in their access to network resources and locally to their university owned system as outlined in the policy.  

Purpose

The purpose of this policy is to establish the guidelines and requirements for Usernames and passwords used to grant authorized users access to Clemson University’s network. Guidelines and accepted practices will be established to provide for the creation of strong passwords, protection of passwords, and frequency of change for those passwords.

Policy

It is the policy of Clemson University that all faculty, staff and students will be issued at least one Username that is to be protected by a password to enable them to complete the academic and business needs of the University. (There are occasions when an employee may need additional Usernames.) Where appropriate and upon need there may be Username’s created for non-university employees. It is the responsibility of the user to create a strong password and to safeguard its confidentiality. At no time should the user grant access to his/her account by providing someone else the password. 

Passwords for workstations are to follow the same rules as passwords for network accounts. (See Changing of Passwords in the General Guidelines of this policy.)  Departmental or system policies may require workstations to have password protected screensavers with an inactivity limits set by the departmental or system policy.

Passwords for commonly administered systems and servers should be changed in accordance to departmental policy. There may be instances due to contract or research requirements, departments may place more stringent requirements on passwords. 

Knowing the correct Username and password combination does not constitute authorization for access, prior authorization to access an account must have been granted.

Disciplinary Sanctions

All activity done from a university Username is the responsibility of the individual to whom the account is assigned.  All activity done from a university computer is the responsibility of the person logged onto that computer. The university will impose disciplinary sanctions on students/employees who violate the above policy. The severity of the imposed sanctions will be appropriate to the violation and/or any prior discipline issued to that student/employee. 

All suspected violations of this policy will be investigated by the Office of Information Security and Privacy. In certain situations other university, state, or federal representatives might be included in those investigations.

Communications

  • President
  • Provost
  • Vice Presidents
  • Vice Provosts
  • Deans
  • Directors/Department Heads
  • All Faculty, Staff, and Students

General Guidelines

Usernames

Computer Usernames are not confidential data and are published in both printed and online directories.

Creation of Usernames

Student Usernames – A student Username is generated and maintained for each person who is currently enrolled or has been accepted for admission within the coming year and has arranged an orientation date. These conditions are checked daily. Usernames previously established for students remain active over summer break. The Usernames of students who no longer meet these conditions are marked for deletion. Following graduation, student Usernames remain active a year.

Employee Usernames – An employee Username is automatically generated when appointment transactions for employees are posted in the CUBS system. Each new employee receives a letter from Computer Resources that explains how to use the Username and various resources. Usernames are disabled when employee terminations are posted in CUBS. A Username can be disabled immediately if the department head contacts Human Resources. Authorized access to secure data cannot be automatically created. Departments may request data access for individual employees who require this type of access.

Departments may request Usernames for future employees if they contact Computer Resources with name, employee Clemson University ID (XID) number, and department number before appointment. In these cases, Computer Resources will select a Username or assign a requested one if it has not been used. Computer Resources sends each new employee a memo listing the Username and explaining its use. Requests for employee Usernames for student employees must originate with the sponsoring department.

Miscellaneous Usernames - These are issued upon request by Computer Resources. They remain active until a request to disable them is received.

Creation of Passwords

Passwords for new employee Usernames are set by default to the last five digits of the employee’s social security number. Passwords for new student Usernames by default are the last four digits of their social security number. In both cases the passwords are marked "expired" and must be changed during the first login attempt.  The user will be prompted for this on their first successful login attempt.

Resetting of Passwords

Users may reset their own password at any time. It is strongly encouraged if you feel that your password or its security has been compromised to reset your password.  Users who forget their password may request a new password. Employee Username passwords are reset by Computer Resources, Student passwords are reset by the Help Desk. Verification of some personal information will need to be provided in order to complete this request.

Changing of Passwords

Following the initial password, all Usernames will have a default password expiration setting of one year. Users will be notified by email prior to expiration that their password is going to expire. These notifications will go out 14 and 7 days prior to the password expiring. Two more email notifications will go out as well. One will be on the day of expiration and the last notification will go out 7 days after the password has expired. 

After one calendar year with the current password, the user will be prompted to change his/her password on the next successful login.  The user will be required to create a password that meets the strong password criteria.(See details below.)  Also, the user should make the new password significantly different from the previously used password. 

The password change utility can be found at https://login.clemson.edu/changepass.php.

Passwords for network accounts:

  • Must be “strong”.
  • Must be changed at least every 365 days for all network accounts.
  • May contain upper and lower case alphanumeric characters. However, due to mainframe restrictions, the first 8 characters of a password can contain only alpha and numerical characters, and the following special characters: @ # $. When accessing the mainframe directly, only use the first 8 characters of the password.

A strong password is achieved by a combination of the following factors:

  • At least one letter
  • At least one number
  • At least one special character
  • Are a minimum of eight (8) characters.

Password advice:

  • A password should not be related to any other personal information of the user such as social security or phone number
  • A password should not be a recognizable word out of a dictionary. (Password cracking programs typically use words from a dictionary to guess a password.)
  • Avoid simple variants or permutations of any words (e.g. S's replaced by 5's, E's replaced by 3's, O's replaced by 0's, your name backwards, your login name repeated or backwards).
  • Do not share your password with anyone.

Definitions

Employee Username – Generated and issued automatically to each individual on the Clemson payroll in a classified or unclassified position.

Student Username - Generated and issued automatically to students as part of the enrollment process.

Miscellaneous Username - Issued upon request to Computer Resources. They remain active until a request to disable them is received. The Usernames set up for temporary employees and contract workers are manually controlled by expiration date. There are three types of miscellaneous Usernames: external, shared, and generic. External Usernames are issued to individuals not employed by the university but associated with it in a contract or adjunct role. Shared Usernames, issued in rare circumstances, are used by several people temporarily to perform functions such as training. Generic Usernames are issued for specific purposes for applications requiring a system or network Username.

References and Related Documents

Acceptable Use for Students

Acceptable Use for Employees

Revisions

Administrative Update: Dec 1, 2009

Next Review: February 2009

Approvals

IT Council, February 2008