Statement of Policy
Lehigh University has expanded the use of both intra and internet-based electronic resources to the extent that having the highest level of electronic security is critical to protect on-line data related to University student information, instruction, research, and administrative systems. As an accepted industry standard, and upon recommendation of both the University's internal and external auditors, the University is implementing the changing of passwords periodically and systematically during each calendar year. While this policy is directly applicable to computer systems operated by Library and Technology Services, conformity with this policy is strongly recommended for all departments operating their own internal computing resources.
While experts in the electronic security field agree that one of the most effective security measures is the periodic changing of system passwords, the recommended frequency of change is less certain. In keeping with the realities of an academic environment, all students, faculty, and staff are required to change their primary network passwords (i.e., LAN, e-mail, etc.) every 6 months - typically, once in the Fall semester and again in the Spring semester; those accounts scheduled to expire in the Summer months will remain open until September. Additional passwords to administrative systems will be required to change every 6 months on an ongoing basis.
Passwords themselves must be at least 8 characters in length with at least one alphabetic character and one numeric or punctuation character; proper names and dictionary words should be avoided as passwords. As an additional security measure, no unencrypted passwords will be accepted by any systems operated by Library and Technology Services - a matter handled by the web browser, e-mail client, or other software through which a connection is established.
In specific areas of compliance where either longer or more complex passwords, greater change frequency, or multi-factor authentication is required (i.e. PCI/DSS compliant passwords) users will be required to follow any more restrictive policy for those areas than this general access policy.
Implementation of Policy
Passwords on all new computing accounts are set to expire 6 months from the date the account is opened. For primary network passwords, daily e-mail warnings will be sent to the account starting two weeks prior to the password expiration and continuing until the password is changed or until the password expires; the e-mail messages will direct individuals to the password change web page at http://www.lehigh.edu/change where the password can be changed. Passwords on administrative systems are handled directly by those systems. Upon expiration of those passwords, the user will be prompted to change the password upon the next login, or, depending on the system, may have a small number of grace logins prior to requiring a password change.
Any user who is locked out of his or her account or who has forgotten a password can go to the account maintenance web page at http://www.lehigh.edu/open and reset the password through the challenge questions set when the account was created or last modified. Those who are unsuccessful with this process, as well as any user locked out of an administrative account, will need to bring a valid University picture identification card to the Computing Center, room FM 394 or FM 294 (primary network passwords only), to have the password reset. Those unable to appear in person with an id card will be required to contact either the Registrar's Office (for students) or Human Resources (faculty and staff) for identity verification.
Account Naming Conventions
Account naming is through an automated process when the person is added to the Banner system. The naming syntax used is basically the individual's three initials, a unique (sequential to the process) one-digit number or character (starting at 2), and a two digit year. For first year students, the two digit year is the expected year of graduation; for everyone else, the two digit year is the year the account was opened. Accounts opened prior to the fall of 2004 consist of the first four characters of this naming convention (i.e., without the year).