Campus Password Policy

1.0 - Overview

This is an overview of the Password Policy.

1.1 - Purpose:

Establish a Password Policy Standard for CSUB employees.

1.2 - Scope:

This policy applies to all CSUB employees.

1.3 - Background

A password is private information and only the person assigned to a particular account should use the associated password. Users are responsible for safeguarding passwords for their accounts.

2.0 - Policy:

Passwords must:

  1. Not contain the user's account name or parts of the name that exceed two consecutive characters
  2. Be at least eight characters in length
  3. Contain characters from three of the following four categories:
    1. Uppercase characters (A through Z)
    2. Lowercase characters (a through z)
    3. Numbers (0 through 9)
    4. Non-alphanumeric characters (for example, !, $, #, %)
  4. Changed at least once per year

3.0 - Controls

Systems incapable of enforcing compliant passwords shall have user enforced compliant passwords. If compliant passwords are not permitted then other mitigating controls, determined on a case by case basis, shall be user enforced; e.g. shorter password lifetimes, longer passwords, or inactivity screen locks.