Statement

WTAMU manages information system authenticators by defining initial authenticator content; establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and changing default authenticators upon information system installation.

Applicability

This Control applies to all West Texas A&M network information resources. The intended audience for this Control includes all information resource owners, custodians, and users of information resources.

Implementation

Management of information system authenticators shall include:

• Passwords shall be treated as confidential information.
  • If the confidentiality of a password is in doubt the password shall be changed immediately.
  • If a password has been confirmed as compromised, the event shall be reported as a security incident.
• Users must change default or assigned passwords where possible.
• Passwords that must be transmitted shall be encrypted.
  • Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt provided it is a one-time transmission and the user must also change the password upon first logon.
  • Whenever possible, passwords should be stored as hashes instead of plain text passwords.
• Forgotten passwords shall be replaced with a new password.
• If a user requests a password change, the identity of the user must be verified before the password is changed
  • The password must be changed to a temporary password.  The user must change the temporary password at first logon.
•  Forgotten passwords shall be replaced with a new password.
• All passwords shall be set to expire every 2 years
• All passwords should comply with the following complexity requirements:
  • Contains at least eight (12) characters.
  • Contains at least one of the follow:
    • Uppercase letters (A, B, C).
    • Lowercase letters (a, b, c).
    • Numerals (1, 2, 3).
• Is not a common word or name, or a close variation on a common word or name.
• Is not one of your twenty-four (10) previously used passwords.
• Passwords also cannot contain:
  • Spaces, ampersands (&), angle brackets (< >) or non-English characters.
  • Significant portions of your account name or full name.
  • Words or phrases associated with the University including but not limited to: buffs, buffaloes, maroon, west, texas.