Executive Summary

Clemson University is highly diversified in the information that it collects and maintains on its community members. It is the university’s responsibility to be a good steward and custodian of the information that it has been entrusted, which must be upheld by all members of the university. While Usernames will be considered public information, their corresponding passwords are the first line of defense of providing for computer and information security at Clemson University. It is first the individual’s responsibility to maintain the security of their password while maintaining a certain level of complexity within that password as not to allow for breeches of that Username. Usernames and password management is a significant part of our overall solution to improve security within Clemson University. The overall protection of the data assets must begin with the individual who has access to them.

This policy outlines how Usernames will be created and how a user will be required to choose a password that is considered to be strong given best practices as they exist currently. Additional requirements outlined in this policy will be creation of default passwords, changing of passwords, and resetting of passwords.  Each user of computing resources at Clemson University is expected to adhere to this policy, both in their access to network resources and locally to their university owned system as outlined in the policy.

Purpose

The purpose of this policy is to establish the guidelines and requirements for Usernames and passwords used to grant authorized users access to Clemson University’s network. Guidelines and accepted practices will be established to provide for the creation of strong passwords, protection of passwords, and frequency of change for those passwords.

Policy

It is the policy of Clemson University that all faculty, staff and students will be issued at least one Username that is to be protected by a password to enable them to complete the academic and business needs of the University. (There are occasions when an employee may need additional Usernames.) Where appropriate and upon need there may be Username’s created for non-university employees. It is the responsibility of the user to create a strong password and to safeguard its confidentiality. At no time should the user grant access to his/her account by providing someone else the password.

Passwords for workstations are to follow the same rules as passwords for network accounts. (See Changing of Passwords in the General Guidelines of this policy.)  Departmental or system policies may require workstations to have password protected screensavers with an inactivity limits set by the departmental or system policy.

Passwords for commonly administered systems and servers should be changed in accordance to departmental policy. There may be instances due to contract or research requirements, departments may place more stringent requirements on passwords.

Knowing the correct Username and password combination does not constitute authorization for access, prior authorization to access an account must have been granted.

Disciplinary Sanctions

All activity done from a university Username is the responsibility of the individual to whom the account is assigned.  All activity done from a university computer is the responsibility of the person logged onto that computer. The university will impose disciplinary sanctions on students/employees who violate the above policy. The severity of the imposed sanctions will be appropriate to the violation and/or any prior discipline issued to that student/employee.

All suspected violations of this policy will be investigated by the Office of Information Security and Privacy. In certain situations other university, state, or federal representatives might be included in those investigations.

Communications

• President
• Provost
• Vice Presidents
• Vice Provosts
• Deans
• Directors/Department Heads
• All Faculty, Staff, and Students

General Guidelines

Usernames

Computer Usernames are not confidential data and are published in both printed and online directories.

Creation of Usernames

Student Usernames – A student Username is generated and maintained for each person who is currently enrolled or has been accepted for admission within the coming year and has arranged an orientation date. These conditions are checked daily. Usernames previously established for students remain active over summer break. The Usernames of students who no longer meet these conditions are marked for deletion. Following graduation, student Usernames remain active a year.

Employee Usernames – An employee Username is automatically generated when appointment transactions for employees are posted in the CUBS system. Each new employee receives a letter from Computer Resources that explains how to use the Username and various resources. Usernames are disabled when employee terminations are posted in CUBS. A Username can be disabled immediately if the department head contacts Human Resources. Authorized access to secure data cannot be automatically created. Departments may request data access for individual employees who require this type of access.

Departments may request Usernames for future employees if they contact Computer Resources with name, employee Clemson University ID (CUID) number, and department number before appointment. In these cases, Computer Resources will select a Username or assign a requested one if it has not been used. Computer Resources sends each new employee a memo listing the Username and explaining its use. Requests for employee Usernames for student employees must originate with the sponsoring department.

Miscellaneous Usernames – These are issued upon request by Computer Resources. They remain active until a request to disable them is received.

Creation of Passwords

Passwords for new employee Usernames are set by default to the last five digits of the employee’s social security number. Passwords for new student Usernames by default are the last four digits of their social security number. In both cases the passwords are marked “expired” and must be changed during the first login attempt.  The user will be prompted for this on their first successful login attempt.

Resetting of Passwords

Users may reset their own password at any time. It is strongly encouraged if you feel that your password or its security has been compromised to reset your password.  Users who forget their password may request a new password. Employee Username passwords are reset by Computer Resources, Student passwords are reset by the Help Desk. Verification of some personal information will need to be provided in order to complete this request.

Changing of Passwords

A strong password is your best defense against cyber criminals. A good password is easy to remember but hard to guess. Here are some tips for creating a strong password:

Consider a passphrase

A passphrase is a sentence or sequence of case-sensitive words that can include spaces and punctuation. Choose a phrase that is easy for you to remember, but difficult to guess. Things like song lyrics or well-known sayings or slogans can be easy for cyber criminals to guess. Passphrases benefit from their length, making them more difficult to crack (we recommend a minimum length of 15 characters). Passphrases can also be a sentence of unlikely words, but make sure it’s one you can remember.

You can also take a phrase and turn it into a password by using the first letter of words and adding numbers with special characters. Also avoid using anything related to your personal information

Examples:

• I like to buy chocolates on Wednesdays!
• Crow hockey battle
• tCUt1g#rsN$d1E! (this could be created from “The Clemson Tigers never say die”)

Use a mix of letters, numbers and symbols

Mixing numbers, symbols, upper case and lower case letters makes your password more difficult to guess. The more characters you use, the more secure the password will be. Again: make sure it’s something you will remember. A strong password won’t make any difference if you can’t use it.

Unique account, unique password

Re-using passwords for multiple accounts means that if someone were to learn one of your passwords, they could in turn gain access to more of your data and information.

Things to avoid

• Using your username or any derivative
• Using personal information easily obtained about you. Your name, your license plate, your pet, your phone number, etc.
• Any keyboard sequence, like qwerty or zxcvbn
• Repeated phrases like “blah blah blah blah”
• Revealing your password to anyone
• Writing your password down
• Using any example password you find, including one from this guide

The password change utility can be found at https://login.clemson.edu/changepass.php.

Definitions

Employee Username – Generated and issued automatically to each individual on the Clemson payroll in a classified or unclassified position.

Student Username – Generated and issued automatically to students as part of the enrollment process.

Miscellaneous Username – Issued upon request to Computer Resources. They remain active until a request to disable them is received. The Usernames set up for temporary employees and contract workers are manually controlled by expiration date. There are three types of miscellaneous Usernames: external, shared, and generic. External Usernames are issued to individuals not employed by the university but associated with it in a contract or adjunct role. Shared Usernames, issued in rare circumstances, are used by several people temporarily to perform functions such as training. Generic Usernames are issued for specific purposes for applications requiring a system or network Username.

References and Related Documents

Acceptable Use Policy for Students

Acceptable Use Policy for Employees

Revisions

Updated “Changing of Passwords” September 21, 2017

Administrative Update: Dec 1, 2009

Next Review: February 2009

Approvals

IT Council, February 2008