SKIP TO PAGE CONTENT
Menu

Password Security Policy

Contact

Mark Nichols
Director, Computer Services
Phone: 662.720.7254
mdnichols@nemcc.edu 

Ron Smith
Computer Technician
Phone: 662.720.7442
rgsmith@nemcc.edu

Sarah Street
Computer Technology Assistant
Phone: 662.720.7390
srstreet@nemcc.edu 

Password Security Policy

Last Updated: August 2023
Applies To: All Faculty, Staff, Students, Affiliates, Retirees

I. Purpose

The purpose of this document is to provide a set of minimum-security standards governing the use of passwords for Northeast Mississippi Community College’s (“NEMCC”, “Northeast”, “College”) information technology systems. This document is intended to offer minimum standards for system and application administrators and developers. 

All parties are encouraged to apply more stringent controls than those outlined below in accordance with the security needs of the system and the information being stored or accessed.  

II. Standards

This section is intended to provide guidance for systems and applications that utilize a username and password for authentication and authorization. For many systems, these settings are customizable and must be configured before a system goes into production or stores institutional information.

Systems that utilize a Northeast Mississippi Community College account for authentication can assume these requirements are met as part of the service provided.

A. Password requirements for standard accounts

  • Passwords should never be stored in plain text. Passwords should be stored using industry-standard hashing and salting methodologies.
  • Passwords should be encrypted and/or hashed while in transit to the authenticating system.
  • Passwords should not be displayed in plain text as they are being entered.
  • Passwords must adhere to the following complexity rules:
  • Passwords must be at least twelve (12) characters long.
  • The password must contain the following four categories:
  • Upper Case: A B C ...
  • Lower Case: a b c ...
  • Numbers: 1 2 3 ..
  • Symbols: + - _ = . @ ? ! . . .
  • Accounts must use Multi-Factor Authentication (MFA) where possible.

B. Password requirements for service accounts

Service-based accounts are those used for automation, monitoring, and other non-interactive tasks not performed by an individual.

In addition to the requirements for standard accounts:

  • Passwords must be at least 16 characters.
  • User IDs and passwords shall never be used through an interactive login mechanism except for testing/setup purposes.
  • Service accounts must have a responsible point of contact or sponsor.
  • Service accounts must be reviewed annually to ensure they are properly used, secured, and necessary.

C. Shared Accounts

To ensure that accounts remain secure, shared accounts where users share a password to access a single account should be avoided.  Where applicable, Computer Service will create a “shared mailbox” that users will be able to access using their own credentials and MFA.

III. Password Protection

To ensure that the intended account holder is the authorized holder of a password or credential, distribution or reset should occur only after a reasonable effort has been made to verify the identity of the account holder.

Individuals should be confirmed as the intended recipient by contact via an authorized phone number, verification of personal data, photo ID, or similar means.

Where possible, passwords should be maintained by the individual through automated means that leverage either pre-existing answers to a set of questions or through the use of a secondary channel meant to confirm someone’s identity, such as a one-time password sent to a registered person’s device. If an automated process is not available, initial or reset passwords may be communicated via:

  • Mail (sealed envelope)
  • Encrypted file transfer
  • Verbal conversation (phone call to an authorized telephone number or in-person)

IV. Exceptions

It is recognized that software applications offer many varied capabilities with respect to authentication, authorization, role-based access control, password complexity, account management, and auditing of these components. Many examples of software exist that will not be able to conform to some aspect of the prescribed standards.

Despite these deficiencies, such software may be necessary for performing critical functions for the College. Reasonable efforts should be made to improve the security posture of such software by enhancing system configurations over time, engaging with vendors, and developing auditing capabilities when possible and feasible.