Password Policy

1. INTRODUCTION

1.1 This policy supports the Digital Services Cyber Essentials certification principles to ensure that passwords used to access computer resources are selected, maintained, and updated in line with the Post Op security profile standards.

1.2 Password policies are used to mitigate possible attacks against the Post Op network infrastructure and the data held within it. Use of long, complex passwords helps to mitigate attacks that attempt to guess passwords, and regular password changes to mitigate long term exploitation of any disclosed or discovered passwords.

1.3 This policy therefore aims to provide a policy and guidance on password structure, technical standards and technology required to keep the Post Op IT network secure and confidential.

2. PASSWORD SELECTION

2.1 To protect Post Op systems and data, users must select a password that is secure and difficult to guess. In accordance with security best practice the following rules are mandatory:

All passwords should have a minimum of twelve characters.

Each password must contain a combination of at least three out of four character sets:

uppercase characters (A through to Z)

lowercase characters (a through to z)

numerical digits (0 through to 9)

non-alphabetical characters (eg. ! $ # % @ +)

Previous passwords used for a University system must not be re-used.

2.2 In addition, while not actively enforced by the password creation process. Accounts created for use on external online resources must not use the same password for Post Op authentication. Passwords must not be something that can easily by guessed (avoid using your name, children or a pet’s name, car registration number, football team, etc.). Password maximum length is not limited by policy and is determined by user preference.

2.3 This policy covers the password requirements for all systems and applications used within Post Op environment including third-party externally hosted applications. The password policy will be reviewed every 12 months to ensure that the security setting remain relevant and applicable to technologies, applications and services utilized by the University.

3. CHANGING A PASSWORD

3.1 Passwords must be changed regularly to mitigate the long-term exploitation of any disclosed or discovered passwords. It is recommended those passwords are changed in line with application requirements.

3.2 Passwords are the mechanism used to protect the security of Post Op systems and must be protected.

Passwords must be kept secret

Passwords must not be written in a form that others could identify

Passwords must not be stored electronically in a non-encrypted format

Passwords may be stored in password management applications where appropriate

Passwords must never be shared with others

Care should be taken to prevent anyone from watching you type your password

Devices should not be left unattended and unlocked in public spaces or communal areas.

To keep up to date with best practice authentication and password management policies, the Post Op user password policy will adhere to the following conditions:

  • First time or temporarily reset passwords will be a randomly generated password that is 12 characters long and will contain a mixture of alphabetic and numeric characters. The user will then be required to change the password upon first logon.
  • Passwords must be a minimum of 8 characters in length.
  • Passwords must contain at least 3 of the following: uppercase letters, lowercase letters, numbers, symbols and special characters e.g “!” “£”.
  • Passwords must not contain the name of the user or account.

Post Op strongly advises that users have passwords that are 8-12 characters long and contains at least 3 of the following: uppercase letters, lowercase letters, numbers, symbols and special characters e.g “!” “£”.

Please note that passwords are set to expire after 42 days by default. It is acceptable for passwords to never expire if they meet the requirements set out in the policy.

The policy and recommendations are in line with the guidance given by The National Cyber Security Centre.