San Lorenzo Unified School District Password Protocol
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A weak password or the misuse of a password may result in the compromise of San Lorenzo Unified School District’s (SLzUSD) entire district network or confidential information contained within the network. As such, all SLzUSD employees are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this protocol is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. Reasonable precaution is required for the safe‐guarding of passwords.
The scope of this protocol includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any SLzUSD facility, has access to the SLzUSD network, or stores any SLzUSD information on premise or within any district cloud server(s).
- All passwords must be changed every 6 months
- No password re‐use for one year
- No password re‐use for 4 passwords
- 10 minute screen saver with password required to unlock for all administrative staff;
- 20 minute screen saver with password required to unlock for all teachers
- Password Requirements: minimum of 10 characters; requires 1 uppercase letter and 1 number or special character
4.2 Guidelines General Password Construction Guidelines
Weak passwords have the following characteristics:
- Is one word found in a dictionary (English or foreign)
- Is a common usage word, such as:
- Names of family, pets, friends, co‐workers, fantasy characters, etc.
- Birthdays and other personal information such as addresses and phone numbers
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
- Contain both upper and lower case characters and have digits and punctuation characters
- Are at least ten alphanumeric characters long
- Are non‐words or a combination of non‐related words (for example, buefgtwp OR horseplantcup)
- Are not based on personal information, names of family, etc.
- Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
- Don't reveal a password over the phone to anyone other than the Superintendent/designee
- Don't reveal a password in an email message unless requested by the Superintendent/designee
- Don't talk about a password in front of others
- Don't hint at the format of a password (e.g., "my family name")
- Don't share a password with family members
- Don't reveal a password to co‐workers while on vacation
- Passwords should never be written down or stored on‐line.
If an account or password is suspected to have been compromised, report the incident to TIS and change all passwords.
4.2 Two Factor Authentication Requirements
District requires that some accounts use a 2 Factor Authentication protocol for improved account security. The guidelines for a 2 Factor Authentication is established by the National Institute of Standards and Technology (NIST)’s Cybersecurity guidelines. TIS will identify accounts that will require a 2 factor authentication protocol.