91ÁÔÆæ

User Accounts and Passwords Standard

Responsible Official: Chief Information Security Officer
Responsible Office: Information Technology
Effective Date: December 5, 2025
Last Revision Date: October 30, 2025

Associated Documents

• User Accounts and Passwords Policy
• Acceptable Use Policy
• Data Classification and Handling Guidelines
• Password Safety Guidance

Purpose

The purpose of this document is to establish comprehensive password management standards that ensure the security, integrity, and availability of systems and data within Reed. This standard is designed to be consistent with applicable guidance and legal obligations (e.g., NIST SP 800-53, GLBA, FERPA, Oregon SB619) while tailored to the college’s risk environment..

Scope

This password management standard applies to all systems, networks, and applications within Reed that require user authentication, especially those that process, store, or transmit sensitive information, including Personally Identifiable Information (PII), Protected Health Information (PHI), education records under FERPA, and other regulated data.

 Password Requirements

1.   General Password Requirements

• Mandatory Strong Authentication: All user accounts must be secured with a strong authenticator. This must be either (a) a password that meets Reed's standards, or (b) a compliant passwordless authenticator (e.g., FIDO2/Passkey).
• Unique Passwords: Users must create unique passwords for each system or application and avoid reusing passwords across different platforms.
• Password Sharing: User credentials (passwords, passkeys, and tokens) are personal and They must not be shared with any other individual, regardless of role or relationship.

 2.   Password Creation and Complexity

• Password Length: Passwords should be at least 14 characters in Passphrases of unrelated words are encouraged for passwords that must be remembered. Randomized characters should be used when they can be stored in a password manager.
• Prohibited Passwords: Common passwords, dictionary words, and easily guessable patterns (e.g., "password123") are Avoid using personal information such as names or birthdays within their passwords.
• Password Change Frequency: Require password changes only when there is reason to believe a password has been compromised or fails to meet our password

3.   Password Storage and Protection

• Password Encryption: All passwords must be encrypted at rest and in transit. Use industry-standard encryption or hashing algorithms and salting techniques to protect stored passwords.
• Password Vaults: Encourage the use of password vaults for storing and managing passwords securely.
• Access Control for Passwords: Access to password management tools and vaults must be restricted to authorized personnel only, with access rights reviewed

4.   Password Change and Reset Procedures

• Self-Service Password Reset: Implement self-service password reset options that include identity verification mechanisms, such as security questions, MFA, or SMS/email-based verification. ()
• Administrator-Initiated Password Resets: Admin-initiated password resets must be logged with relevant details such as the requestor, the administrator performing the reset, and success/fail events.
• Account Lockout after Failed Attempts:. Accounts must be locked after no more than 7 failed login attempts for a minimum of 15 minutes, or until an administrator

Password Management

Password Policy Enforcement

• System Enforced Policies: All systems must enforce Reed's password
• Automated Policy Checks: Regularly run automated checks to ensure compliance with password policies and report any violations to the security team.

Multi-Factor Authentication (MFA) Integration

• Phishing-resistant MFA: Implement MFA for all systems that handle sensitive data or are critical to Reed’s MFA should be used in addition to strong passwords to enhance security.
• MFA Logging: Record all MFA attempts, including both successful and unsuccessful ones. Logs should capture the method used, time, and any anomalies detected during the authentication process.

Monitoring and Auditing Password Use

• Regular Audits: Conduct regular audits of password usage, focusing on compliance with the established standards. Identify and address any non-compliance promptly.
• Anomaly Detection: Implement systems that monitor password-related activities for anomalies, such as unusual login times or locations, and flag them for further
• Incident Response: Ensure that any incidents related to password breaches are logged and handled according to Reed’s incident response Document actions taken and lessons learned.

Compliance Requirements

NIST (National Institute of Standards and Technology)

• Align password practices with NIST SP 800-63B guidelines: This includes ensuring that password policies meet NIST's requirements for digital identity, password strength, and lifecycle management.
• Audit and Accountability: Ensure that all password-related activities are logged and auditable in compliance with NIST standards.

GLBA (Gramm-Leach-Bliley Act)

• Protect Financial Information: Ensure that passwords used to access financial data are compliant with GLBA’s Safeguards This includes regular updates to passwords and the use of MFA for sensitive information.
• Documentation and Review: Maintain records of password policies and review them regularly to ensure they meet GLBA requirements.

FERPA (Family Educational Rights and Privacy Act)

• Safeguard Educational Records: Ensure that passwords protect access to student educational records, with strict controls to prevent unauthorized access as required by
• Audit Trails: Keep detailed audit trails of password changes and access attempts for systems managing educational records, ensuring compliance with FERPA

Oregon Consumer Privacy Act (SB-619)

• Support Consumer Privacy Rights: Ensure password practices support compliance with Oregon SB619 by protecting consumer data and allowing consumers to exercise their rights, such as data access and correction.
• Data Protection Assessments: Include password management practices in Data Protection Assessments (DPAs) required under Oregon SB619.

Roles and Responsibilities

System Owners

• Enforce Password Policies: System owners are responsible for implementing and enforcing password policies on their systems, ensuring that passwords meet Reed’s
• Review Access Logs: Regularly review access logs to detect any suspicious activities related to password use.

Security Team

• Monitor Password Practices: The security team must monitor password-related activities and respond to any detected security incidents promptly.
• Conduct Audits: Regularly audit password management practices to ensure compliance with standards and regulatory requirements.

IT Operations

• Maintain Password Management Tools: IT operations must ensure that password management tools and systems are up to date and secure.
• Support MFA and Policy Enforcement: IT operations should assist in the deployment and management of MFA and automated policy enforcement tools.

Compliance and Penalties

Auditing and Assessment

• Regular Audits: Conduct thorough and regular audits of password management practices, document findings, and take appropriate corrective actions.
• Policy Updates: Review and update password management policies regularly to reflect changes in regulations and organizational needs.

Continuous Compliance Monitoring

• Ongoing Monitoring: Implement continuous monitoring of password management practices to ensure ongoing compliance, with alerts for potential issues.

Revision History