SASG Password Security Policy

Passwords are an important aspect of information security. A poorly chosen password may result in unauthorized access and/or exploitation of University of Arizona resources. All users with access to University of Arizona systems, networks, and data are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

1. Purpose

The purpose of this procedure is to communicate the standards for strong passwords, the protection of those passwords and the frequency of change.

2. Scope

The scope of this procedure includes all personnel who have or are responsible for an account (or any form of access that requires a password) on any system that SASG supports, has access to the University of Arizona network, or stores any non-public SASG information. All users, including part-time and student staff, must follow all SASG password procedures. 

3. Procedure

Password Creation

  • All user-level and system-level passwords must conform to the Password Construction Guidelines (See below.)

  • Users should not use the same password for SASG accounts as for other non-SASG access (for example: individual’s NetID password, personal Internet Service Provider (ISP) account, benefits and so on.)

Password Change

  • All passwords for SASG user accounts must be changed every year. A user may reach out to SASG to have a password changed at any time if they need to.

Password Protection

  • Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential SASG information.

  • Passwords must not be inserted into email messages or other forms of electronic communication.

  • Do not reveal a password on questionnaires or security forms.

  • Do not hint at the format of a password (for example: “my family name”.)

  • Do not share SASG passwords with anyone (supervisor, peer, direct report, or SASG staff) under any circumstance.

  • Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile device (phone, tablet) without encryption.

  • Try not to use the “Remember Password” for sites containing confidential information.

  • Any user suspecting that his/her password may have been compromised must report the incident to SASG and change all passwords immediately.

Use of Passwords and Passphrases

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against “dictionary attacks.” A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: “U Mu5t B the Ch@nge U W!5h 2 C !n the W0rld” All of the rules above that apply to passwords also apply to passphrases.

Password Construction Guidelines

SASG requires a strong password that meets the following criteria:

  • It must be a minimum of twelve (12) characters

  • It must contain three (3) of the following types of characters:

    • Uppercase letter

    • Lowercase letter

    • Numeral

    • Non-alphanumeric characters (% ! & # $ etc)

  • It cannot contain a user’s logon name

  • It cannot contain any portion of the user’s full name

4. Enforcement

These procedures are for your protection. Violation of these procedures could be reported to the appropriate supervisor and The University of Arizona Information Security Office and the protection of University of Arizona owned data.

If your SASG password has been revealed to other individuals or otherwise posted in a publicly viewable setting, your password will be set to change at the next login.

You will receive communication from us regarding the incident with an explanation of our password security policy. You will also be informed of best practices regarding passwords.

If the issue occurs again we will lock your SASG account pending a meeting with your supervisor and the SASG Information Technology Manager to once again go over best practices regarding password security.

5. Exceptions

Regardless of labeling, if non-SASG passwords are publicly viewable or otherwise shared, SASG will direct the individual to this policy and campus policies.

6. Sources

SASG policy uses the following Campus Policies as a guide: