{"id":9604,"date":"2025-06-26T10:39:44","date_gmt":"2025-06-26T14:39:44","guid":{"rendered":"https:\/\/www.bates.edu\/ils\/?page_id=9604"},"modified":"2026-02-09T12:48:34","modified_gmt":"2026-02-09T17:48:34","slug":"bates-college-password-policy","status":"publish","type":"page","link":"https:\/\/www.bates.edu\/ils\/bates-college-password-policy\/","title":{"rendered":"Bates College Passphrase Policy"},"content":{"rendered":"\n<h5 class=\"wp-block-heading\">1. Purpose<\/h5>\n\n\n\n<p>To establish secure passphrase requirements aligned with best practices and current National Institute of Standards and Technology (NIST) guidelines, ensuring the protection of Bates College&#8217;s information systems and data.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">2. Scope<\/h5>\n\n\n\n<p>This policy applies to all students, faculty, staff, contractors, vendors, and other authorized users who have access to Bates College information systems, including systems hosted or maintained by third-party service providers that store, process, or access Bates College data.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">3. Passphrase Requirements:<\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimum length: 18 characters\n<ul class=\"wp-block-list\">\n<li>Bates College requires passphrases to be at least 18 characters long for accounts used to access Bates College systems, services, or data.<\/li>\n\n\n\n<li>For legacy or third-party systems that do not support 18-character passwords, the longest allowable password must be used.<\/li>\n\n\n\n<li>System owners are expected to work with ILS to identify and phase out systems that cannot support minimum password standards.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Encouraged (Do this)<\/strong><\/th><th><strong>Avoid (Don&#8217;t do this)<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>Unrelated words:<\/strong> Use 4+ random non-sentence words that don&#8217;t relate to each other (e.g., pencil truck garden window).<\/td><td><strong>Natural Sentences:<\/strong> Avoid phrases that follow grammar or express a single idea (e.g., I love my green pumpkin).<\/td><\/tr><tr><td><strong>Personally meaningful:<\/strong> Use words that are easy for <em>you<\/em> to visualize but hard for others to guess.<\/td><td><strong>Common Quotes:<\/strong> Do not use song lyrics, passages from books or famous movie quotes.<\/td><\/tr><tr><td><strong>Random sequence:<\/strong> Ensure the words don&#8217;t form a sentence, follow normal grammar, or express a single idea or theme.<\/td><td><strong>Predictable Patterns:<\/strong> Avoid keyboard paths (e.g., qawsed12345) or sequential numbers.<\/td><\/tr><tr><td><strong>Unique to you:<\/strong> Create something that cannot be found in a dictionary or a list of common phrases online.<\/td><td><strong>Public References:<\/strong> Avoid using &#8220;Bates College,&#8221; your username, or easily discoverable personal info.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Examples:\n<ul class=\"wp-block-list\">\n<li>candle velvet train tab \u2013 23 characters<\/li>\n\n\n\n<li>cable boppie collar lamp \u2013 24 characters<\/li>\n\n\n\n<li>Measurepurple carbide so \u2013 24 characters<\/li>\n\n\n\n<li>teapot glacier orbit violin \u2013 27 characters<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Note: While you can use capital letters, numbers, or symbols, they are not required. Focus on randomness and length.<\/strong><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">4. Password Expiration and Reset<\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Routine password resets (e.g., annual resets) are no longer required unless there is evidence of compromise or suspected compromise.<\/li>\n\n\n\n<li>System or shared account credentials must be changed when an employee with access to those credentials leaves the College.<\/li>\n\n\n\n<li>Passwords must be changed immediately if a security incident or unauthorized use is suspected.<\/li>\n\n\n\n<li>Bates College may periodically perform checks against known compromised credentials to proactively identify vulnerable passwords.<\/li>\n\n\n\n<li>Some third-party systems or services may enforce fixed password reset intervals due to their own compliance or technical requirements. In these cases, users are expected to follow the system-specific password change prompts while still complying with the overall principles of this policy.<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">5. Protection and Handling of Passwords<\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Passwords must be treated as restricted data.<\/li>\n\n\n\n<li>Sharing of user credentials for individual user accounts is strictly prohibited.<\/li>\n\n\n\n<li>Storing of passwords in a web browser is strictly prohibited.<\/li>\n\n\n\n<li>Users should avoid writing down passwords. If necessary, passwords may be securely stored in a password manager. The only ILS-approved password manager is 1Password. 1Password accounts are provisioned by ILS, and the cost of the license(s) is charged to the requesting department.<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">6. Account Lockout<\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User accounts may lock in some cases after 5 failed login attempts to prevent unauthorized access. Accounts must be unlocked by contacting the IT Help Desk or through an approved automated process.<\/li>\n\n\n\n<li>Systems may implement progressive delays or throttling after failed login attempts to minimize the risk of denial-of-service scenarios.<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">7. Multi-Factor Authentication (MFA)<\/h5>\n\n\n\n<p>MFA is required for all users, as well as for users accessing critical or sensitive Bates College systems or third-party systems that hold Bates data.<\/p>\n\n\n\n<p><em><a href=\"https:\/\/www.bates.edu\/ils\/files\/2026\/02\/Bates-Passphrase-Policy.pdf\">PDF Version<\/a><\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><em>Bates College Passphrase Policy, Effective 7\/1\/2025, Updated: February 5, 2026, Version 1.1<\/em><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. Purpose To establish secure passphrase requirements aligned with best practices and&hellip;<\/p>\n","protected":false},"author":126,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_hide_ai_chatbot":false,"_ai_chatbot_style":"","associated_faculty":[],"_Page_Specific_Css":"","_bates_restrict_mod":false,"_dimp_site_id":"","_dimp_override_contact":false,"_table_of_contents_display":false,"_table_of_contents_location":"","_table_of_contents_disableSticky":false,"_is_featured":false,"footnotes":"","_bates_seo_meta_description":"","_bates_seo_block_robots":false,"_bates_seo_sharing_image_id":0,"_bates_seo_sharing_image_twitter_id":0,"_bates_seo_share_title":"","_bates_seo_canonical_overwrite":"","_bates_seo_twitter_template":""},"class_list":["post-9604","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/pages\/9604","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/users\/126"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/comments?post=9604"}],"version-history":[{"count":19,"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/pages\/9604\/revisions"}],"predecessor-version":[{"id":9690,"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/pages\/9604\/revisions\/9690"}],"wp:attachment":[{"href":"https:\/\/www.bates.edu\/ils\/wp-json\/wp\/v2\/media?parent=9604"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}