Password procedure

Procedure

Intent and objectives

To define the rules concerning the use and security of passwords that must be observed while conducting RMIT business, teaching, learning and research activities. This policy provides a foundation for additional practices and standards that will more specifically communicate RMIT requirements related to RMIT passwords.

To ensure that authorised users of RMIT computer systems are aware of their responsibility to protect their passwords to these systems.

To ensure that RMIT staff and contractors who develop, acquire and administer RMIT computer systems are aware of the technical password controls that these systems must comply with.

Scope

All computer systems and network devices that support an RMIT provided service and which use the combination of a username and a password for authentication, and all their users.

Provisions

1. Staff, students and any other authorised user must take reasonable steps to protect the secrecy of their password. For example:

  • A person’s username and password must not be shared with another person
  • A password must not be written down and left in a place where it could be easily found
  • Precautions must be taken to prevent a password being copied or overheard
  • A person must change their password if they suspect that someone else knows it.

2. System Administrators with responsibility for establishing and/or maintaining password controls must ensure that the controls comply with the RMIT Password Standard. Default vendor and manufacturer passwords must be changed during product installation.

3. Project Managers with responsibility for developing or acquiring a new application must ensure that the password controls comply with the RMIT Password Standard.

4. Administrator passwords must be stored in a secure location to ensure that they are readily accessible when needed. The owner of the application or system is responsible for ensuring that appropriate arrangements are in place for the secure safekeeping of the administrator password.

5. System Administrators and Project Managers may believe that there are valid business and/or technical reasons for the system or application not complying with the RMIT Password Standard. If this is the case, they may seek a dispensation by following the formal dispensation process established by ITS. Please refer to the RMIT Password Guidelines.

6. Students and staff should refer to the RMIT Password guidelines for tips on choosing a new password that is hard to guess but easy to remember.

[Next: Supporting documents and information]