Password Policy

Body

Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of York College’s entire network. As such, all York College employees (including contractors and vendors with access to York College systems) and students are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. All use of York College accounts is assumed to be performed by the person assigned to that account. Account owners are held responsible and liable for all activities with their accounts.

Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, frequency of change, and resetting of passwords on York College systems.

Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any York College facility, has access to the York College network, or stores any non-public York College information.

Policies

  • Passwords are only one layer of security. At least two additional Multi-Factor Authentication (MFA) method must be set up (that is currently available by going to My Password in the My Apps portal)

  • Users will be required to respond to MFA prompts off campus when accessing YCP systems and may be occasionally required to respond to them on campus. 

  • Users must not insert passwords into email messages or other forms of electronic communication.

  • Initial passwords are to be set to a unique value per user. Initial password shall only be valid until the first successful user authentication and must be changed by the user after first use.

  • All passwords are to be at least eight (8) characters in length.

  • Group and shared passwords are explicitly prohibited at York College

  • Password complexity will be set to require at least three out of the four types of characters:

    • Uppercase letters

    • Lowercase letters

    • Numbers

    • Special characters (i.e. !, @, #, $, %, ^, &, *, etc.)

  • All system-level passwords (e.g., root, enable, admin, application administration accounts, etc.) must be a minimum of 10 characters and conform to the complexity requirements above.

  • Password parameters will be set to require that new passwords cannot be the same as the four previously used passwords.

  • Passwords must NOT contain your username in any form

  • Accounts will be locked out after multiple failed login attempts and will remain locked for a specific period of time. The LTS helpdesk should be contacted whenever assistance with account lockout is needed.

Password Reset

System and session idle timeout feature will be set on all systems to time out after being idle for 15 minutes. If you have forgotten your password, you can use the "My Password" link available on the front page of the My Apps portal. You will be required to enter your YCP username and ID number and already have registered a cell phone number and/or personal email address to receive your temporary password. If you are unable to receive the temporary password or you are an administrator or staff member, you will need to contact us and we will further assist you in resetting your password.

General Password Construction Guidelines

York College uses Single Sign-On (SSO) technology to enable students and employees to use one username and password combination to access multiple systems and applications, such as My Apps, YCPWeb, G Suite, and Canvas. Although SSO makes accessing York College systems more convenient, it also places greater importance on selecting a strong password that is difficult to guess. Students and employees are strictly prohibited from sharing their YCP password and additional verification codes with anyone for any reason. The use of a password manager that can generate strong passwords and store them is strongly encouraged.

Strong passwords have the following characteristics:

  • Contain both upper and lower case characters (e.g., a-z, A-Z) as well as numbers

  • Are at least eight alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).

  • Do not contain words found in a dictionary or other commonly used slang words in any form including backwards

  • Do not contain trivial letter or number patterns such as aaabbb, qwerty, 12345678, 123321, etc.

  • Are not based on personal information such as birth dates, addresses, phone numbers, or names of family members, pets, friends, or co-workers

    • Passwords should be hard to guess but easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.NOTE: Do not use any of these examples as passwords!

Password Protection Standards

Do not use the same password for York College accounts as for other non-York College access (e.g., personal bank account, option trading, benefits, etc.). Do not share York College passwords with ANYONE, including family members, co-workers, administrative assistants or supervisors. Passwords must never be sent in an email or instant message. Passwords must never be written down or stored in a file on any computing device (including laptops, smart phones, tablets or similar devices) without using encryption. All passwords are to be treated as sensitive, confidential York College information.

The York College LTS Department will NEVER ask you to reveal your password at any time. If you are asked to reveal your password via telephone, email, or in person by anyone claiming to be a York College official or LTS Department staff member, do not respond. Report the incident immediately to us.

If an account or password is suspected to have been compromised, report the incident to the LTS Help Desk and change all passwords.

Enforcement

Users who violate this policy may be denied access to College computing resources and may be subject to other penalties and disciplinary action, including possible expulsion or dismissal. Alleged violations will be handled through the college disciplinary procedures applicable to the user. The College may suspend, block or restrict access to an account, independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of the College or other computing resources or to protect the College from liability. The College may also refer suspected violations of applicable law to appropriate law enforcement agencies.

 

Revised 1/8/2026

 

Details

Details

Article ID: 18720
Created
Mon 3/11/24 2:17 PM
Modified
Mon 1/19/26 10:02 AM