Tags: Authentication, Access Control, NIST SP 800-63B, FERPA, GLBA, CIS Controls
Status: Final Draft
Last Revision Date: April 29, 2025
Statement of Purpose
Passwords remain a foundational control in digital authentication. Weak or mismanaged passwords are a leading cause of security breaches. This policy defines Clackamas Community College’s standards for password creation, usage, and management to ensure compliance with applicable laws and frameworks (e.g., NIST SP 800-63B, FERPA, GLBA) while maintaining usability and reducing user support burdens.
Policy Summary
All passwords used to access Clackamas Community College Electronic Information Resources must follow standards for complexity, length, and uniqueness. This policy applies to user accounts, service accounts, and systems not integrated with Microsoft Active Directory (AD). Compensating controls (e.g., MFA) must be implemented where technical limitations prevent compliance. This policy supersedes any prior internal departmental standards.
Policy
1. General Requirements
-
Passwords must be unique to Clackamas Community College systems. Reuse of passwords across personal or third-party accounts is strictly prohibited.
-
Passwords shall be kept confidential and never shared, written, or transmitted in clear text.
-
If a password compromise is suspected, the user shall immediately change the password and notify the ITS Service Desk.
-
Default passwords must be changed before deploying any new system or application.
-
If shared access is required, it must be managed through ITS-approved secure credential vaults with access logging.
2. Microsoft Active Directory (AD) Password Policy
The following controls shall be enforced via Group Policy for all standard user accounts in Active Directory:
-
Minimum password length: 12 characters
-
Password complexity: Must include at least three of the following: uppercase, lowercase, numeral, special character
-
Password history: Remember the last 4 passwords
-
Minimum password age: 0 days
-
Maximum password age: 365 days
-
Reversible encryption: Disabled
-
Account lockout threshold: 5 failed attempts for Facility and Staff, 10 failed attempts for Students
-
Lockout duration: 30 minutes
-
Reset failed attempt counter after: 30 minutes
ITS will regularly audit AD Group Policy Objects (GPOs) for compliance.
3. Service Account Passwords
-
Must meet or exceed standard user account requirements for length and complexity.
-
Passwords must be changed:
-
On account provisioning
-
After suspected compromise
-
After role reassignment or staff separation
-
At least annually, or per system policy
-
Passwords must be stored in an ITS-approved password vault with access controls and audit logging.
4. Non-Microsoft Authentication Systems
-
Where feasible, configure settings to match AD standards.
-
If the platform enforces shorter limits, use the maximum supported length and implement compensating controls such as:
-
Multi-Factor Authentication (MFA)
-
IP filtering or geo-restrictions
-
Session timeout and reauthentication
-
Log analysis and alerting
System owners must document deviations and controls in their system security plan and review annually with ITS.
5. Multi-Factor Authentication (MFA)
6. Password Storage and Transmission
-
Passwords must never be stored in cleartext or transmitted without encryption.
-
Passwords may only be stored using ITS-approved systems employing salted, one-way hashing (e.g., bcrypt, PBKDF2).
-
Any system that stores or verifies passwords must undergo a security review by the ITS Security Team.
-
For additional authentication protections beyond password-based access, users and system owners must comply with Policy 102c – Multi-Factor Authentication (MFA), which outlines scenarios requiring MFA, approved second-factor types, and exception processes.
Exemptions
None.
Exceptions
Requests for temporary exceptions must be submitted in writing to the Chief Information Officer (CIO). Exceptions will be reviewed based on risk, compensating controls, and business justification. All approved exceptions must be documented and time-bound.