Password Policy

Executive Summary

The security of Barnard College user accounts has become critically important with the increasing growth of on-line information, services, and resources that rely on centrally issued accounts for authentication and authorization.  It is the responsibility of both the institution and the individual user to safeguard the security and integrity of each person's identity and guard against unauthorized access and use of their account.  
The password for an individual's account is the sole key for protecting that account and the Barnard resources that the account can access.  It proves their identity, authorizes them to access and control important personal and institutional information, grants rights to licensed resources, and allows others to trust the identity of the person linked to their assigned user account.  Therefore, the strength and privacy of that password is of paramount importance.

Reason for This Policy

This policy specifies certain minimum components for a strong password, and requirements for maintaining the privacy of a user account password.  As part of this policy, BCIT will create and maintain information for users on recommendations and resources for password strength and management best practices.

Who Is Responsible for This Policy

Barnard's Vice President for Information Technology or her designee is responsible for the maintenance of this policy and for responding to questions regarding this policy. The College reserves the right to amend this policy and to limit or restrict the use of its electronic information resources at its sole discretion.

Who Is Governed by This Policy 

This policy applies to all individuals who access, use, or control College electronic resources. Those individuals include, but are not limited to faculty, staff, students, those working on behalf of the College, and individuals authorized by affiliated institutions and organizations.  

Policy Statement

All user accounts require a password that meets the following requirements:

  • Length:  The password must be at least 8 characters long
  • Complexity:  Must contain at least 3 of the following four categories:
    • An English uppercase characters (A - Z)
    • An English lowercase characters (a – z)
    • A Number
    • A Non-alphanumeric (e.g., !@#$^*)(_=<>&%+)
  • Name:  Passwords cannot contain 3 or more consecutive characters from the user’s first name, last name or username.
  • Expiration:  Passwords should be changed by Faculty at least every 12 months and by Administrators every 6 months due to their access to sensitive information.
  • Lockout:  10 or more unsuccessful logins must lockout the account for at least 30 minutes
  • History:  Passwords cannot be the same as the last 5 passwords used
  • Inactivity Timeout:  Sessions should be disabled after 15 minutes of inactivity

Please see the following document for tips on creating and maintaining a strong password:

Password Sharing

The sharing of passwords is prohibited.  If there is a need to share a password, i.e., an administrator or superuser account, compensating controls approved by BCIT must be used to ensure that every authentication can be associated with a uniquely responsible user.

Cross References to Related Policies 


Applicable Acts, Regulations, And Laws

  • Payment Card Industry Data Security Standard (PCI DSS):  A set of requirements designed to ensure the protection of payment card data.
  • Family Education Rights and Privacy Act (FERPA):  a federal law that protects the privacy of student education records.
  • Gramm Leach Bliliey Act (GLBA):  also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals.
  • Multijurisdictional data privacy requirements like the Massachusetts CMR 17 Standards for the Protection of Personal Information



Violations of these policies are adjudicated according to the procedures defined in the student or employee handbook and may result in the removal of electronic resources access and/or more serious sanctions.


Data is a stored collection of information that may include symbols, words, sounds or images.  
Personally Identifiable Information is nonpublic information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to the college.  Examples may include, but are not limited to, Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information that the college has agreed to keep confidential and account passwords or encryption keys used to protect access to confidential college data.
Proprietary Information is data, information, or intellectual property in which the college has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to the college.  Examples may include, but are not limited to, business planning information, financial information, trade secrets, copyrighted material, research or comparable materials from a third party that the college has agreed to keep confidential.
Resources include data, networks, computers, and other devices that store or display data, communication devices, and software used on such devices, paper files, and other resources provided by the college.
Sensitive Information is any information whose disclosure could cause harm to the college or its constituents including Personally Identifiable Information and Proprietary Information.
Users refer to faculty, staff, students and any other individuals that may have access to the college’s resources.


For questions or comments: 
Barnard College Information Technology
Telephone: 212-854-7172 

Revision History

Policy Issued:  December 19, 2014