Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of York College’s entire network. As such, all York College employees (including contractors and vendors with access to York College systems) and students are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. All use of York College accounts is assumed to be performed by the person assigned to that account. Account owners are held responsible and liable for all activities with their accounts.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, frequency of change, and resetting of passwords on York College systems.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any York College facility, has access to the York College network, or stores any non-public York College information.
- All system-level passwords (e.g., root, enable, admin, application administration accounts, etc.) must be changed on or at least every 90 days.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 180 days. The recommended change interval is every 90 days.
- Passwords must not be inserted into email messages or other forms of electronic communication.
- All user-level and system-level passwords must conform to the guidelines described below.
- Initial passwords are to be set to a unique value per user. Initial password shall only be valid until the first successful user authentication and must be changed by the user after first use.
- Initial, pre-designated passwords are valid only until the first successful user authentication into an account. The user must choose their own passwords based upon the following standards and guidelines.
- All passwords are to be at least eight (8) characters in length.
- Group and shared passwords are explicitly prohibited at York College
- Password complexity will be set to enforce the use of at least both alphabetic and numeric characters.
- Must contain at least 3 letters
- Must contain at least 2 numbers
- Maximum number of letter pairs is 2
- Password parameters will be set to require that new passwords cannot be the same as the four previously used passwords.
- Passwords must NOT contain your username in any form
- Accounts will be locked out after five failed login attempts and will remain locked for up to 90 minutes
System and session idle timeout feature will be set on all systems to time out after being idle for 15 minutes. If you have forgotten your password, you should utilize the ChangeMe website, available on the front page of the myYCP Portal. You will be required to login via security questions that you chose and answered. If you have forgotten the answers to your security questions, you will need to present your York College ID to the Information Technology Help Desk, and they will further assist you in resetting your questions and password. If you are unable to physically visit the Information Technology Help Desk, we will mail your account information to the address that we have listed in our official records, using United States mail only. There are no exceptions to this policy.
General Password Construction Guidelines
York College uses Single Sign-On (SSO) technology to enable students and employees to use one username and password combination to access multiple systems and applications, such as MyYCP Portal, YCPWeb, Google Apps, and Blackboard. Although SSO makes accessing York College systems more convenient, it also places greater importance on selecting a strong password that is difficult to guess. Students and employees are strictly prohibited from sharing their YCP password with anyone for any reason.
Strong passwords have the following characteristics:
- Contain both upper and lower case characters (e.g., a-z, A-Z) as well as numbers
- Are at least seven alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).
- Do not contain words found in a dictionary or other commonly used slang words in any form including backwards
- Do not contain trivial letter or number patterns such as aaabbb, qwerty, 12345678, 123321, etc.
- Are not based on personal information such as birth dates, addresses, phone numbers, or names of family members, pets, friends, or co-workers
- Passwords should be hard to guess but easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use any of these examples as passwords!
Password Protection Standards
Do not use the same password for York College accounts as for other non-York College access (e.g., personal bank account, option trading, benefits, etc.). Do not share York College passwords with ANYONE, including family members, co-workers, administrative assistants or supervisors. Passwords must never be sent in an email or instant message. Do not use the "Remember Password" feature of applications (e.g., Firefox, Chrome, Instant Messenger). Passwords must never be written down or stored in a file on any computing device (including laptops, smart phones, tablets or similar devices) without using encryption. All passwords are to be treated as sensitive, confidential York College information.
The York College IT Department will NEVER ask you to reveal your password at any time. If you are asked to reveal your password via telephone, email, or in person by anyone claiming to be a York College official or IT Department staff member, do not respond. Report the incident immediately to the IT Help Desk at (717) 815-1559.
If an account or password is suspected to have been compromised, report the incident to the IT Help Desk and change all passwords.
Users who violate this policy may be denied access to College computing resources and may be subject to other penalties and disciplinary action, including possible expulsion or dismissal. Alleged violations will be handled through the college disciplinary procedures applicable to the user. The College may suspend, block or restrict access to an account, independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the College or other computing resources or to protect the College from liability. The College may also refer suspected violations of applicable law to appropriate law enforcement agencies.