Skip redundant pieces
Information Technology Services
Home : Forms and Policies : Password Security Policy

Password Security Policy

Background | Definitions | Exemptions | Procedures | Password Guidelines | Contact Information

New passwords will be provided, and existing passwords will be released, only when the identity of the requester can be clearly established.

Background

The University of Kansas Medical Center provides access to network, electronic mail and voice mail resources to its students, faculty, and staff, in support of the University's mission of teaching, research, and public service. Passwords are assigned for access to each of these resources to authenticate a user's identity, to protect network users, and to provide security.

Password protection is one of the most important principles of network, e-mail and voice mail security. The purpose of this policy is to outline the procedures used by authorized staff to change or reveal an existing password to users who have compromised or forgotten their authorized password to the University's network, e-mail or voice mail resources. The resources covered by this policy include, but are not limited to, the University's network (via campus or remote access), e-mail and voice mail systems.

Although the University strives to manage a secure computing and networking environment, the University cannot guarantee the confidentiality or security of network, e-mail or voice mail passwords from unauthorized disclosure.

top of page

Definitions

PASSWORD
Authorized individual password assigned by the University of Kansas School of Medicine-Wichita's Information Technology Services department for access to its network, e-mail and voice mail resources.

UNIVERSITY
The term 'the University' means the University of Kansas Medical Center.

USER
Anyone who holds a valid account on the University's network, e-mail and/or voice mail systems.

top of page

Exemptions

Everyone who holds, or wishes to acquire, a valid account on the University's network, e-mail and/or voice mail systems is covered by this policy. This policy covers users on the Wichita campus as well as users who access these systems from an off-campus location. There are no exemptions.

top of page

Procedures

I. Password request procedures.

Procedures for processing password requests strive to balance security requirements and user convenience. These procedures will be followed by the staff of IT Services for all password requests for access to the University's network, e-mail or voice mail resources. (Including new, changed, or forgotten passwords.)

1. Under no circumstances will existing passwords be revealed by telephone.
2. Under no circumstances will new passwords be provided by telephone.
3. Information Technology Services staff will be pleased to handle requests made in one of the following ways:

  • Requests may be made in person at Information Technology Services [B001] during normal business hours. Photo identification is required.
  • Requests may be faxed to Information Technology Services at 316-293-1888 at any time, but they will be handled during normal business hours. The fax must include photo identification and signature.
  • New account requests may be submitted via web form. New account requests must be verified by the employee's supervisor.

4. Confirmation will be given to user by phone, e-mail, or alphanumeric page when a password change is completed.
5. A network manager must approve any password change requested by a user's supervisor. Confirmation will be sent to user when a password change is completed at the request of a supervisor.

II. Password Protection Responsibilities

System administrators and users assume the following responsibilities:

  • System administrator must protect confidentiality of user's password.
  • User must manage passwords according to the Password Guidelines
  • User is responsible for all actions and functions performed by his/her account.
  • Suspected password compromise must be reported to IT Services immediately.

top of page

Password Guidelines

Password are required to meet the following criteria:

  • Password must be 8 to 25 characters in length
  • At least one UPPERCASE letter character (A, B, C, etc.)
  • At least one lowercase letter character (a, b, c, etc.)
  • At least one numeric digit (1, 2, 3 etc.)
  • At least one special character (_-+=)(*&\}]{[. ,><?/ etc.)

Select a Wise Password

  • Do not use any part of the account identifier (username, login ID, etc.).
  • Do not use a proper name or any word in the dictionary without altering it in some way.

A password is harder to crack if you utilize several of these selection techniques:

  • Use a mix of alpha and numeric characters
  • Use 8 or more characters.
  • Use mixed case.
  • Use two or three short words that are unrelated.
  • Deliberately misspell words.
  • Take the first letter from each word of a phrase.

Keep Your Password Safe

  • Do not tell your password to anyone.
  • Do not let anyone observe you entering your password.
  • Do not display your password in your work area or any other highly visible place.
  • Change your password periodically (every 60 days is recommended).
  • Do not reuse old passwords.

Additional Security Practices

  • Ensure your workstation is reasonably secure in your absence from your office. Consider using a password-protected screen saver or logging off when you leave the room.

Contact Information

For information on this policy, please contact IT Services.


top of page