PURPOSE:
The purpose of this policy is to establish minimum standards for the creation, management, and protection of all passwords used to access ICOM's information systems, networks, and data. Strong passwords are a critical security control and serve as the primary line of defense against unauthorized access to institutional resources, thereby protecting the confidentiality, integrity, and availability of ICOM data.
SCOPE:
This policy applies to all individuals who meet any of the following criteria:
- Users responsible for an account (or any form of access that supports or requires a password or passphrase) on any system owned, leased, managed, or used by ICOM, including on-premises systems and cloud-based services (including SaaS applications).
- Users with access to ICOM's wireless network.
- Users who store, access, or process any non-public ICOM information, regardless of the system or location.
- This policy includes all ICOM faculty, staff, students, contractors, vendors, affiliates, and any other individuals granted access to ICOM's IT resources.
DEFINITIONS:
- Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
- Password: A secret sequence of characters used to verify the identity of a user and grant access to a system or resource.
- Passphrase: A longer, more memorable sequence of words used as a password. Passphrases can often be more secure than traditional passwords due to their length.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
POLICY:
Password Complexity Requirements: All passwords must meet the following minimum complexity requirements:
- Minimum Length: Passwords must be at least 8 characters in length.
- Character Diversity: Passwords must include characters from at least three of the following four categories (if available):
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (e.g., !@#$%^&*()_+=-`~{}|;':",./<>?)
- Prohibited Content: Passwords must not contain:
- The user's username or parts of their name.
- ICOM or related terms (e.g., "IdahoCOM," "ICOMMed").
- Commonly used words, dictionary words (in any language), or easily guessable patterns (e.g., "password," "123456").
- Personal information such as birthdates, phone numbers, or addresses.
Password Reuse: Users should avoid reusing passwords across different ICOM accounts or services. Additionally, users should avoid reusing personal passwords for ICOM accounts.
Password History: The system should enforce a password history of at least five previously used passwords, preventing users from immediately reusing old passwords.
Password Age (Expiration): All passwords must be changed at least every 365 days. The system should notify users prior to password expiration.
Multi-Factor Authentication (MFA): Multi-Factor Authentication (MFA) must be enabled and used for all accounts that access confidential or restricted ICOM information, or where available and deemed appropriate by the Information Technology Office. Users are responsible for enrolling in and utilizing MFA as required.
Password Managers: The use of an ICOM approved password manager application is encouraged to help users create and manage strong, unique passwords for their various accounts. Users are responsible for ensuring the security of their password manager master password.
Vendor and Contractor Passwords: Vendors and contractors with access to ICOM systems must adhere to the requirements of this policy. ICOM departments sponsoring vendor access are responsible for ensuring vendors are aware of and comply with this policy.
Account Lockout: After a specified number of unsuccessful login attempts (e.g., 5 attempts), user accounts will be temporarily locked out for a defined period (e.g., 30 minutes).
Password Storage and Transmission: Passwords must never be stored in plain text. ICOM systems will store passwords using strong encryption and hashing algorithms according to the Data Encryption Policy. Passwords must never be transmitted via insecure channels such as email or instant messaging.
ENFORCEMENT:
Failure to comply with this Password Policy may result in disciplinary actions, up to and including warnings, suspension of account access, and termination of employment or access privileges, consistent with other ICOM policies and procedures. The Information Technology Office will monitor compliance with this policy and may require users with non-compliant passwords to reset them.
EXCEPTIONS:
Exceptions to this Password Policy may be granted in limited circumstances by the Chief Information Officer or designated authorization authority, with appropriate justification, documented risk assessment, and approved compensating security controls. All exception requests should be submitted in writing to the Information Technology Office.
POLICY REVIEW AND UPDATES:
This Password Policy will be reviewed and updated at least annually, or as needed to reflect changes in technology, threat landscape, best practices, or regulatory requirements. The Chief Information Officer is responsible for coordinating the review and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 8/23/21
Last Reviewed: 7/8/25
Review Requirement: Annual