Policy 494 - Staff Password Policy
I. PURPOSE
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Princeton Schools entire network. As such, all employees (including contractors and vendors with access to Princeton Schools systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
II. SCOPE
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Princeton Schools facility, has access to the Princeton Schools network, or stores any non-public Princeton Schools information.
III. PASSWORD CREATION
- All staff and admin passwords must be at least eight (8) characters in length. Longer passwords and passphrases are strongly encouraged.
- Where possible, password management systems should be utilized to prevent the use of common and easily cracked passwords.
- Passwords must be completely unique, and not used for any other system, application, or personal account.
- Default installation passwords must be changed immediately after installation is complete.
IV. PASSWORD PROTECTION
- Passwords must not be shared with anyone (including coworkers and supervisors), and must not be revealed or sent electronically.
- The Technology Department will never ask for your passwords in digital correspondence.
- Passwords shall not be written down or physically stored anywhere in the office.
- When configuring password “hints,” do not hint at the format of your password (e.g., “zip + middle name”)
- User IDs and passwords must not be stored in an unencrypted format.
- User IDs and passwords must not be scripted to enable automatic login.
- “Remember Password” feature on websites and applications should not be used.
- All mobile devices that connect to the company network must be secured with a password and/or biometric authentication and must be configured to lock after 3 minutes of inactivity.
- Many services used at Princeton Schools either are required or have the ability to use Multi Factor Authentication (MFA). It is strongly recommended that employees use MFA as a further safeguard with any account in use. Forms of MFA include SMS text messages, cellular phone push notifications, or One Time Password (TOTP) authentication via mobile application.
V. ENFORCEMENT
It is the responsibility of the end user to ensure enforcement with the policies above.
If you believe your password may have been compromised, please immediately report the incident to the Technology Support team and change the password.
Legal References:
- None
Cross References:
Adopted: September 19, 2023