Guideline for Account Passwords

Per ISO/IEC 27002, users should only be provided with access to the network and network services that they have been specifically authorized to use.  Where required, access to systems and applications should be controlled by a secure log-on procedure.  Password management systems should be interactive and should ensure quality passwords.

I.  Purpose

Passwords are the front line of protection for user accounts and information and therefore, the following guidelines will enable every member of the UNC Charlotte community to better protect their accounts and University information resources and reduce the risk of compromise. For more information on password requirements, please see Standard for Account Passwords.

II.  Background

Information & Technology Services (ITS) helps protect UNC Charlotte data from unauthorized access or inappropriate use by enforcing technical and procedural security controls including password controls for the University’s NinerNET credentials used to access most services on campus. It is important to understand the importance of a strong password when setting up access for any University system.  One of the most common methods that attackers use to guess passwords is to systematically try potential passwords until they manage to break into an account.  Attackers frequently use dictionary files to generate lists of possible passwords.  By choosing passwords that are easy to remember but hard for an attacker to guess, you will significantly improve the security of your computer and data.

III.  Scope

The guideline applies to all UNC Charlotte staff, faculty, students, associates, affiliates, contractors, volunteers, or visitors who have or are responsible for an account (or any form of access that supports or requires a password) on any system housing university information or that has access to the UNC Charlotte network.

IV.  Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance at ISCompliance-group@uncc.edu.

V.  Guidelines

  • Passwords should never contain your last name, first name, email address, or the words “pass” or “word”.
  • Always avoid using dictionary words in your passwords.  This includes foreign language words and proper nouns.
  • Consider using a “passphrase” that will be easy to remember and substitute some letters with numbers or symbols.
  • All passwords must be treated as confidential information.  If someone asks you for your password, refer him or her to this guideline.
  • Passwords used to gain access to University systems should not be used to access non-University accounts or information.
  • Do not use the "Remember Password" feature of applications.  These features typically do not adequately protect passwords, and it may be possible for a computer virus or unauthorized user to gain access to this information.
  • Do not store passwords in a file on any computer system (including mobile devices) without using strong encryption.
  • For optimum security, if you feel you must write down your password in order to remember it, make sure you do not label it as your password and keep it in a safe place.
  • If you know or suspect your account or password has been compromised, report the incident to ITS and change the password immediately.

Related Resources

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 9/04/14
Reviewed 11/05/15