The purpose of this standard is to establish the minimum requirements for passwords used to access
University information systems and services to reduce the risk of unauthorized access to Framingham State’s
technology resources and data. Pursuant to the University’s Password Management Policy, passwords are the
primary means of protecting access to University Information Systems; therefore, it is imperative that
passwords are strongly constructed and used in a manner to prevent account compromise.
This standard applies to all individuals accessing the campus network or any University information system.
This use may include, but is not limited to access from; personal devices, laptops, University-owned
computers, information systems, and servers. This Standard applies to both departmental and centrallymanaged
resources. When these password standards are technically infeasible, the application owner must
contact the University’s Information Security Officer to request an exception.
MINIMUM PASSWORD/PASSPHRASE STANDARDS FOR ALL UNIVERSITY ACCOUNTS
Password Composition
a) All passwords must be strong passwords and include the following:
i) A minimum of twelve (12) characters
ii) English uppercase characters (A through Z)
iii) English lowercase characters (a through z)
iv) Numerals (0 through 9)
v) Special Characters (!, #, $, &)
b) Passwords must never include the following:
i) Three (3) consecutive characters from the first name, middle name, last name or username.
ii) Blank spaces.
iii) Special character sequences such as //.
iv) Personal or financial information such as Social Security or credit card numbers.
Password Management
a) An individual may change their password at any time provided the password is:
i) Different than the previous ten (10) passwords used; and,
ii) Not used more than one (1) time per 12-month period.
b) Passwords must be changed if an account is compromised.
c) Pursuant to the Acceptable Use Policy, passwords must never be left in a location, along with the
username, that can be readily obtained and utilized by another individual to Authenticate to a
University Information System.
d) To prevent compromise of credentials, never use the same password for login to a Framingham State
University account and a personal account.
e) Never share a password with anyone in any way (e.g., email, phone call, electronically via the Internet)
including managers, co-workers, assistants, family members, friends, or the IT Service Desk.
f) If a password is suspected to have been compromised, it must be changed immediately, and the
incident reported to Information Technology Services IT Service Desk.