Password Practices and Standards Policy

  • Communications
  • Computing and Technology
Responsible Unit Brockport Information & Technology Services
Responsible Cabinet Member VP for Administration & Finance
Adoption Date Unavailable
Last Revision Date
Last Review Date

Policy Statement

The University has established a common mechanism - the NetID and corresponding password - through which individuals can uniquely identify themselves to the University, and through which the University can offer them the electronic services to which they are entitled.


In order to protect University information, computers and networks from unauthorized access, the University must take reasonable steps to ensure that passwords are protected.

The password requirements listed in this policy apply to all NetID accounts, and are considered a best-practice recommendation for other accounts. The password protection requirements listed in this policy apply to NetID and other passwords, PINs, or other credentials that exist to identify and authorize an individual for access to accounts, computers or systems meant for that person alone. Group accounts (e.g. an e-mail address for a student group), or resources assigned to more than one individual in an office or department (e.g. a voicemail password on the departmental extension) are excluded from the password protection requirements to the extent necessary to facilitate sharing of these resources among people who need to access them.

Where possible, these requirements are automated into University systems and processes.


There is no applicability provided for this policy at this time


There are no definitions for this policy at this time.

Policy Procedures

Password Protection Requirements

The following action is prohibited:

  • Reusing one of 4 previous passwords for the same account.

The following actions place passwords at risk, and are strongly discouraged:

  • Writing passwords down.
  • Sending passwords through email.
  • Storing passwords in a document that is not encrypted.
  • Telling your password to someone else, in person or over the phone.
  • Hinting at the format of your password.
  • Revealing your password on a form on the Web, other than to log into a University system to which you have access.
  • Using your University password for non-University accounts.

The following action is required:

In addition, students, faculty and staff are strongly encouraged to take certain actions to protect University passwords:

  • Be careful about letting someone see you type your password.
  • Report any suspicion of your password being compromised to the IT Service Desk.
  • If anyone asks for your password, report that person to the IT Service Desk.

NetID Password Requirements

Passwords should not contain:

  • Common acronyms
  • Common words or reverse spelling of words
  • Names of people or places
  • Part of your login name (NetID)
  • Parts of numbers easily remembered (e.g. phone numbers, social security numbers, street addresses)
  • Spaces

Passwords must contain:

  • At least 8 total characters
  • Capital and lowercase letters
  • At least 2 numbers or special characters

Links to Related Procedures and Information

There are no links for this policy at this time.

Contact Information

Policy Questions

Questions about the University Policy on Password Protections and Standards can be addressed to the IT Service Desk: (585) 395.5151 option 1, through our self-service portal, Service Now (login required).

History (in descending order)

Item Date Explanation
Next Review Date 2019-12 Five-year review
Adoption Date Unavailable Policy Adopted


There are no approvals for this policy at this time.