Password Policy

PRINT DISCLAIMER: Official version of this document is accessible in the online policy library at https://policyoffice.ku.edu/. Printed copies may not reflect the most recent updates.

DOCUMENT TYPE:

Policy

PURPOSE:

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.

APPLIES TO:

The scope of this policy includes:

1. All personnel who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any University of Kansas facility;
2. All individuals who have access to the University of Kansas network; and
3. All systems that store any non-public KU information.

CAMPUS:

Edwards, Lawrence, Juniper Gardens, Parsons, Yoder, Topeka

POLICY STATEMENT:

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access.  Passwords help the University limit unauthorized or inappropriate access to various network resources at the University of Kansas, including user-level accounts, web accounts, email accounts, screen saver protection, and local router logins.

A poorly chosen password may result in the compromise of University systems, data, or the network.  Therefore, all KU students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them.  Contractors and vendors with access to University systems shall observe these requirements.

A department and/or system administrator may implement a more restrictive policy on local systems where deemed appropriate or necessary for the security of electronic information resources.  The Information Technology Security Office may require a more restrictive policy in protection of confidential information or data as defined in the Data Classification and Handling Policy.

Creation of Passwords

Passwords created by users of University systems, and on systems where technology makes it possible, shall conform to the following standards:

Your password must be 8 to 32 characters long and must contain:

• At least one special character (&,#,-,_, etc.)
• At least one uppercase letter
• At least one lowercase letter
• At least one digit (0-9)

These provisions shall be enforced electronically whenever possible. 

Changing Passwords

Passwords must expire after no longer than 210 days.  Passwords are not allowed to be repeated within one year.

Protecting a Password

• Passwords must be treated as confidential information.
• Passwords must not be included in email messages or other forms of electronic communication.

Sharing a Password

• KU Online IDs are issued to individuals for their exclusive use, and passwords may not be shared. 
• Departmental account passwords must be shared only with appropriately designated departmental personnel.
• Users need to beware of “phishing” or other social engineering scams where a user may have a password requested over the phone.  University information technology personnel (i.e., IT Customer Service Center, ITSO, Departmental Technical Staff), as a best practice, do not request a user’s password over the phone. 

Reporting a Password Compromise

• Suspected compromises of passwords must be reported immediately to the KU IT Customer Service Center at 4-8080.
• The password in question must be changed immediately.

EXCLUSIONS OR SPECIAL CIRCUMSTANCES:

Exceptions to this Policy shall only be allowed if previously approved by the KU Information Security Officer and this approval is documented and verified by the Chief Information Officer.

CONSEQUENCES:

Faculty, staff, and student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

CONTACT:

Office of the Chief Information Officer
1001 Sunnyside Avenue 
Lawrence, KS 66045
785-864-4999
kucio@ku.edu

APPROVED BY:

Provost and Executive Vice Chancellor

APPROVED ON:

2005-05-24

EFFECTIVE ON:

2005-06-01

REVIEW CYCLE:

Annual (As Needed)

RELATED STATUTES, REGULATIONS, AND/OR POLICIES:

Data Classification and Handling Policy

Information Technology Security Policy

Information Access Control Policy

Acceptable Use of Electronic Information Resources

CHANGE HISTORY:

03/24/2025: Migration to TeamDynamix from Drupal.
01/26/2022: Update contact section.
07/11/2016: Updated to remove gendered pronouns.
09/11/2007: Updated to reflect NTS/IT reorganization of responsibilities.
02/11/2008: Updated to clarify PCI/DSS and HIPAA additional requirements.
10/23/2009: Updated to reflect Legislative Post Audit requirements.
10/07/2014: Updated to reflect current practice and KU IT organizational responsibilities.