Information Technology

Password Standard

The CSUMB Campus Password Standard identifies requirements and provides guidance on establishing passwords for University computer systems..

Comments or feedback on this standard should be directed to The Office of the Chief Information Officer at (831) 582-4700.

Scope

This standard applies to all persons using CSUMB data or information systems.

Password standards

A password is private information and only the person assigned to a particular CSUMB username may use the associated password. Users are responsible for safeguarding passwords for their CSUMB username. Passwords must not be shared. Users should not share their password with anyone.

The following standards are to assist users with choosing secure passwords. Each individual application used to change passwords will screen for most of these guidelines as an aid in creating secure passwords. This does not relieve a person of responsibility for creating and protecting a secure password.

  • Make passwords significantly different from previous passwords.
  • Make passwords hard to guess. It should not be information easily obtainable about you.
  • Passwords should not include mother’s maiden name, Social Security number, telephone numbers, or birthday.
  • Your password cannot be the same as the username.
  • Don’t leave passwords where others can find them. Do not leave your password on a post-it note taped to your monitor.
  • Change passwords regularly.
  • Use as many characters as the system you are using allows when you create your password.

Password requirements

CSUMB has implemented updated CSUMB username password requirements based on the CSU System-Wide Information Security Standards. CSUMB systems have the following password requirements:

  • Passwords must be at least 10-characters long (recommend at least 12 characters for level 1 sensitive data users)
  • Passwords must contain at least one uppercase alphabet character (A-Z), at least one lowercase alphabet character (a-z) and at least one number and cannot contain part of your username.
  • Minimum password age is 6 days (you cannot change your password if it has been less than 6 days since you last changed it).
  • Maximum password age is 180 days (you must change your password if it has been more than 180 days since you last changed it) .
  • You may not re-use any of your last 3 passwords.
  • Accounts are locked after 5 failed log in attempts.

Passwords for newly activated usernames must be changed on first use. This way only the person assigned the username knows the password.

Roles and responsibilities

Each Information Technology department is responsible for ensuring that all CSUMB information technology resources adhere to the Campus Password Standard.

All CSUMB employees are responsible for adhering to the Campus Password Standard.

Revision control

This standard will be subject to revision in response to changes in technology, regulatory compliance, and/or CSUMB operational initiatives.

Last reviewed/updated

06/21/2019 by Chip Lenno, CIO/ISO