Vassar College Password Policy
Vassar College issues an online account to each individual as they join the College community. This account is used to access email, the learning management system, perform financial transactions with the College, and many other services. As such, the account is a privilege with its usage governed by Vassar’s Responsible Use Policy and this Password Policy. Members of the Vassar community must be familiar with each of these policies.
- 1.0 Introduction
- 2.0 Purpose
- 3.0 Scope
- 4.0 Client Responsibilities
- 5.0 Systems Requirements
- 6.0 Use of Multi-Factor Authentication (MFA)
- 7.0 Exceptions
- 8.0 References
- 9.0 Related Policies
- 10.0 Responsible Departments and Persons
- 11.0 Policy Authority
Passwords are an important part of Vassar College’s efforts to protect technology systems and information assets by ensuring that only approved individuals can access them. Ongoing Information Security research informs best practices for the composition, lifetime and general usage of passwords. This policy is designed to adopt these practices to enhance the security of the Vassar community.
The purpose of this Password Policy is to clearly establish password usage rules for Vassar College’s information systems. Adhering to these rules strengthens the confidentiality, integrity, and availability of electronic assets and supports the college’s comprehensive Information Security Program.
The policy applies to all members of the Vassar College community who are approved to access College systems or information. Any individual with a computer account, including contractors and temporary employees, are covered under this policy.
The policy also covers password rules for Services, Systems, and Applications that exist outside of centralized Information Technology systems and are managed by other business units or third parties.
4.0 Client Responsibilities
Clients must maintain confidentiality of their password(s) at all times
Clients must change their password(s) periodically
Clients must not write down their password(s)
Clients must not divulge their password(s) to any other person
Clients must not transmit their password(s) by any electronic means
Clients must not reuse their Vassar password for any other account or system
5.0 Systems Requirements
Systems must not store client passwords in clear text
Systems must be able to accommodate Vassar College password construction rules
Systems must require clients to change their password periodically
The password field in a login panel must obfuscate the password
A system must suspend a user account after multiple failed login attempts ("grace logins")
A system must use encryption to protect client passwords
6.0 Use of Multi-Factor Authentication (MFA)
Multi-Factor Authentication is recommended for use on all compatible Vassar systems. Clients may be required to enroll in MFA under the direction of the Information Security Officer or Chief Information Officer.
Exceptions to the policy must be requested in writing for consideration by the Chief Information Officer or Information Security Officer who will engage the Senior Officer from the requesting division as needed.
10.0 Responsible Departments and Persons
Responsible Department: Computing and Information Services
Person(s) responsible for developing, changing, and communicating this policy: Information Security Officer, Chief Information Officer
Person(s) responsible for implementing and enforcing this policy: Information Security Officer
11.0 Policy Authority
This policy is issued by Vassar College under the authority of the President, Chief Information Officer, and Information Security Officer.