Última modificação: março 19, 2025

Policy No. 4204 Password Procedure

Download Password Procedure Document

Visão geral

Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or the entire network. This guideline provides best practices for creating secure passwords.

Finalidade

The purpose of this procedure is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

Scope/Responsibility

This procedure applies to all personnel and entities working on behalf of the district who have or are responsible for any account (or any form of access that supports or requires a password) on any system that resides at or is connected to any PCSD facility.

Procedimento

To minimize the possibility of unauthorized access, all passwords should meet or exceed the guidelines for creating strong passwords.

Password Characteristics

Strong passwords:
- Contain at least 12 alphanumeric characters
- Contain both upper and lowercase letters
- Contain at least one number (e.g., 0-9)
- Contain at least one special character (e.g., !$%^&*()_+|~-=\`{}[]:”;'<>?,/)
Poor or weak passwords:
- Contain less than eight characters
- Can be found in a dictionary, including foreign languages, or exist in slang, dialects, or jargon
- Contain personal information such as birth dates, addresses, phone numbers, names of family members, pets, friends, or fictional characters
- Contain work-related information such as building names, mascots, hardware, or software
- Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321
- Contain common words spelled backward or preceded/followed by a number (e.g., terces, secret1, or 1secret)
- Are some version of “Welcome123,” “Password123,” or “Changeme123”

Password Best Practices

Users must not use the same password for PCSD accounts as for other non-PCSD access (e.g., personal email, shopping sites, social media).
Where possible, users must not use the same password for various PCSD access needs.
User accounts with system-level privileges (e.g., PowerSchool) must have a unique password for system-level privileges unless using 2-factor authentication.
Users should never write down or store passwords without acceptable encryption.
Create passwords that can be remembered easily. One method is using a phrase, e.g., “This May Be One Way To Remember” could become TmB1w2R!

Password Change Requirements

All system-level passwords (e.g., root, admin, application admin accounts) must be changed at least quarterly.
All user-level passwords (e.g., email, web, desktop computer) must be changed at least annually. The recommended interval is every four months.
Password cracking or guessing may be performed periodically by the InfoSec team. If a password is compromised, the user must change it immediately.
Systems that can enforce password changes must do so regularly.
Default passwords must be changed during initial setup and configuration.

Password Security and Management

The Technology Help Desk manages forgotten passwords and resets. Users must verify their identity before a reset is granted.
Passwords must not be shared with anyone, including administrative assistants, secretaries, managers, co-workers, or family members.
Passwords must not be included in emails or other electronic communications.
Users should never reveal passwords in questionnaires or security forms.
Users must not hint at the format of a password (e.g., “my family name”).
Do not write passwords down and store them in an office or unencrypted file.
Do not store passwords in a file on a computer or mobile device without encryption.
Never use the “Remember Password” feature in applications (e.g., web browsers).
If a user suspects their password has been compromised, they must report it to their supervisor and change all passwords immediately.
Use auto-logout on systems that allow it.

Last Update Status:

Updated January 2015