Cal State Â鶹ÃÛÌÒAV Password Policy

Revised: May 31, 2022

This policy establishes minimum standard password requirements to protect university information resources.

Passwords are used on university devices and systems to facilitate authentication, i.e., helping ensure that the person is who they say they are. The security of university data is highly dependent upon the secrecy and characteristics of such passwords. Compromised passwords can result in loss of data, denial of service for other users, or attacks directed at other Internet users from a compromised machine. Compromised passwords can also result in the inappropriate disclosure of confidential data.

To protect against these risks, Cal State Â鶹ÃÛÌÒAV has adopted the following password standards.

This standard applies to all university information resources that use passwords to authenticate users. All passwords used to access Cal State Â鶹ÃÛÌÒAV systems must adhere to this standard unless technically infeasible. This standard covers departmental resources as well as resources managed centrally. The term password is applied broadly and includes passphrases, digital keys, and other forms of credentials used to authenticate access to Cal State Â鶹ÃÛÌÒAV systems.

Information Technology Services provides identity management services that are in compliance with these password standards and used by most Cal State Â鶹ÃÛÌÒAV enterprise applications. All university systems and processes subject to this standard are encouraged to integrate with Cal State Â鶹ÃÛÌÒAV identity management services, otherwise systems must implement the same password standards locally.

System administrators may choose to implement these standards with a combination of technological controls and local practice. Standards and practices adopted by a college or administrative unit must be consistent with this standard but may provide additional detail, guidelines or restrictions.

All exceptions to the above access control policies must be approved in writing by the university Information Security Officer (ISO).

(Also published at NetID)

Personally assigned university NetIDs are subject to password policy rules that help protect the account from inadvertent or malicious access. Users are strongly advised to implement a robust, hard-to-guess password to further enhance the account's security. Passwords currently adhere to the following:

  • Password Length
    • Is ten (10) characters minimum for all Students, Faculty & Staff NetIDs
  • Passwords must contain characters from four categories: English uppercase characters (A through Z), English lowercase characters (A through Z), base 10 numerical characters (0 through 9), non-alphabetic characters (for example, !, $, #, %);
  • Passwords may not contain first or last name, or NetID, or any facsimile thereof (eg. Gene written as G3n3)
  • Passwords are locked out for a certain duration after 10 invalid login attempts;
  • Passwords have a history of 3 passwords remembered (that is, you may not re-use your past 3 passwords when changing it);
  • While student passwords currently do not expire, faculty and staff (including student assistants) passwords do expire after 180 days.

As stated in , access to Level 1 & 2 data must use authentication methods that meet or exceed NIST 800-63-3 AAL2 by requiring multi-factor authentication, including both a secure password and the use of an authenticator.

Cal State Â鶹ÃÛÌÒAV uses Duo for multi-factor authentication, and further information about this technology can be found here.

Contact us - If you have any questions regarding privacy, or have questions about our practices, please contact us at the following email address: iso@csueastbay.edu