Policies

Password Policy

Overview

Passwords are a crucial element of computer security. They serve as the first line of defense for user accounts and protect sensitive information, including emails and files, from unauthorized access. A weak or poorly chosen password could lead to unauthorized access to The Seattle School’s network and compromise confidential data. All employees, volunteers, directors, contractors, and vendors with access to The Seattle School’s systems are responsible for selecting and securing their passwords according to the guidelines below.

Purpose

The purpose of this policy is to establish a standard for creating strong passwords, protecting those passwords, and determining how frequently they should be changed.

Scope

This policy applies to all individuals who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any Seattle School facility, has access to The Seattle School network, or stores any non-public Seattle School information.

Policy Detail

User Network Passwords

Passwords for Seattle School network access must follow these guidelines:

  • Passwords must be at least 15 characters long.
  • Passwords should include a combination of upper and lower case letters, numbers, and special characters
  • Use phrases or the first letters of a line from a song or a saying to make passwords hard to guess but easy to remember
  • Avoid using easily guessable information, such as your name, UserID, children’s names, pet names, or any other personal information that can be easily found.
  • Do not use the same password for multiple accounts.
  • Passwords must not be reused for at least one year.

System-Level Passwords

All system-level passwords must adhere to the following guidelines:

  • Passwords must be changed every 180 days.
  • Administrator account passwords must be at least 12 characters long and include a mix of three of the four following items: upper case letters, lower case letters, numbers, and special characters.
  • Non-expiring passwords must be documented, and their requirements must be consistent with the standards for administrator accounts.
  • Administrators must not bypass the Password Policy for convenience.

Password Protection

General Protection Guidelines

  • Passwords must be treated as sensitive, confidential information.
  • Do not share passwords with anyone, including coworkers, managers, or family members. The Seattle School’s IT Department will never ask for your password.
  • Do not write down passwords or store them in a non-encrypted format. Use a password manager such as Lastpass, KeePass, Dashlane, or TrueKey to store and manage passwords securely.
  • Do not send passwords via email or reveal them over the phone. Never disclose passwords on questionnaires or security forms.
  • Avoid hinting at the format of your password (e.g., “my family name”).

Electronic Protection

  • Stored passwords must be encrypted.
  • Do not use auto logon, application remembering, embedded scripts, or hard-coded passwords in client software to circumvent password entry. Exceptions require IT approval and must include a procedure to change the passwords.
  • Ensure that your PC is not left unattended without enabling a password-protected screensaver or logging off.

Security and Incident Response

  • If you suspect that the security of your password has been compromised, change it immediately and report the incident to IT.
  • If a password is discovered, take control of it, secure it, and report the incident to IT.

Protecting Against Phishing

  • Be cautious of phishing attempts, which may try to deceive you into revealing your password. These attempts often involve fraudulent emails or websites designed to look like trusted sources.
  • Always verify that a website starts with ‘https’ and check for browser indicators that the site is secure.
  • Instead of clicking on links in emails, type the URL directly into the browser.
  • Look for signs of phishing, such as poor grammar or misspellings in emails, and report any suspicious activity to IT.

Password Resets

  • When IT receives a password reset request from a student, the identity of the student must first be confirmed via the personal account listed in Populi.