Password Policy

Policy Purpose

This policy defines password rules, expirations, on the University campus. Having strong passwords are a security standard. NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith that all users are required to have passwords on the devices and software that they use on campus.

Applicability

This policy applies to all University devices and software used by campus users.

Definitions

NIST – National Institute of Standards and Technology Password rules – the minimum number and types of characters that are used to create a password on
campus.

Policy Procedure

1. Password rules consist of the following:
• Minimum 14 characters
• Maximum 20 characters (for Banner system only)
• All passwords must contain a combination of at least three of the four following categories:
• Uppercase letters (A-Z)
• Lowercase letters (a-z)
• Numbers (0-9)
• Special characters (@ # $, etc.)
• Cannot use your last 24 passwords
2. Password expirations:
Passwords do not expire

Enforcement

Active Directory and various software applications are configured by IT to require the rules to be followed or users are not allowed on campus systems. 

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

Some vendors and their equipment or associated software may have password rules that override the University policy in order to function. An example would be certain characters being required or not allowed in order for the software to function properly.

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 9/22/2025

Last Updated

10/31/2025 – Reformatted for accessibility by Terry Meadows Director of IT/CIO10/3/2025