Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of York College’s entire network. As such, all York College employees (including contractors and vendors with access to York College systems) and students are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. All use of York College accounts is assumed to be performed by the person assigned to that account. Account owners are held responsible and liable for all activities with their accounts.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, frequency of change, and resetting of passwords on York College systems.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any York College facility, has access to the York College network, or stores any non-public York College information.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 180 days. The recommended change interval is every 90 days.
- Passwords must not be inserted into email messages or other forms of electronic communication.
- Initial passwords are to be set to a unique value per user. Initial password shall only be valid until the first successful user authentication and must be changed by the user after first use.
- Initial, pre-designated passwords are valid only until the first successful user authentication into an account. The user must choose their own passwords based upon the following standards and guidelines.
- All passwords are to be at least eight (8) characters in length.
- Group and shared passwords are explicitly prohibited at York College
- Password complexity will be set to require at least three out of the four types of characters:
- Uppercase letters
- Lowercase letters
- Special characters (i.e. !, @, #, $, %, ^, &, *, etc.)
- All system-level passwords (e.g., root, enable, admin, application administration accounts, etc.) must be a minimum of 10 characters and conform to the complexity requirements above.
- Password parameters will be set to require that new passwords cannot be the same as the four previously used passwords.
- Passwords must NOT contain your username in any form
- Accounts will be locked out after 10 failed login attempts and will remain locked for up to 15 minutes
System and session idle timeout feature will be set on all systems to time out after being idle for 15 minutes. If you have forgotten your password and you are a faculty member or student, you can use the "Forgot password" link available on the front page of the MyYCP portal. You will be required to enter your YCP username and ID number and already have registered a cell phone number and/or personal email address to receive your temporary password. If you are unable to receive the temporary password or you are an administrator or staff member, you will need to contact us and we will further assist you in resetting your password.
General Password Construction Guidelines
York College uses Single Sign-On (SSO) technology to enable students and employees to use one username and password combination to access multiple systems and applications, such as MyYCP, YCPWeb, G Suite, and Moodle. Although SSO makes accessing York College systems more convenient, it also places greater importance on selecting a strong password that is difficult to guess. Students and employees are strictly prohibited from sharing their YCP password with anyone for any reason.
Strong passwords have the following characteristics:
- Contain both upper and lower case characters (e.g., a-z, A-Z) as well as numbers
- Are at least seven alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).
- Do not contain words found in a dictionary or other commonly used slang words in any form including backwards
- Do not contain trivial letter or number patterns such as aaabbb, qwerty, 12345678, 123321, etc.
- Are not based on personal information such as birth dates, addresses, phone numbers, or names of family members, pets, friends, or co-workers
- Passwords should be hard to guess but easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use any of these examples as passwords!
Password Protection Standards
Do not use the same password for York College accounts as for other non-York College access (e.g., personal bank account, option trading, benefits, etc.). Do not share York College passwords with ANYONE, including family members, co-workers, administrative assistants or supervisors. Passwords must never be sent in an email or instant message. Do not use the "Remember Password" feature of applications (e.g., Firefox, Chrome, Instant Messenger). Passwords must never be written down or stored in a file on any computing device (including laptops, smart phones, tablets or similar devices) without using encryption. All passwords are to be treated as sensitive, confidential York College information.
The York College LTS Department will NEVER ask you to reveal your password at any time. If you are asked to reveal your password via telephone, email, or in person by anyone claiming to be a York College official or LTS Department staff member, do not respond. Report the incident immediately to us.
If an account or password is suspected to have been compromised, report the incident to the LTS Help Desk and change all passwords.
Users who violate this policy may be denied access to College computing resources and may be subject to other penalties and disciplinary action, including possible expulsion or dismissal. Alleged violations will be handled through the college disciplinary procedures applicable to the user. The College may suspend, block or restrict access to an account, independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the College or other computing resources or to protect the College from liability. The College may also refer suspected violations of applicable law to appropriate law enforcement agencies.