Password Policy


  • This policy is intended to establish a minimum expectation with respect to password creation and maintenance to protect data stored on computer systems.

Password Construction:

All users must construct strong passwords for access to all networks and systems, using the following criteria where technically possible:

  • Must be a minimum of 12 characters in length.
  • Must be composed of a combination of at least three of the following four types of characters:
    • Upper case alphabetic character
    • Lower case alphabetic character
    • Numeric character
    • Non-alphanumeric character

Password Management:

  • Passwords must not be stored in a manner that allows unauthorized access.
  • Passwords will not be sent via unencrypted email.
  • Password changes will be mandated in the following ways:
    • PCI/Administrative/Privileged passwords will expire every 90 days.
    • Users who process or access restricted data (such as protected health information, FERPA data, SSNs, and PII) should change their passwords at least every 120 days. This includes both domain credentials and other systems (such as the SIS)
    • All other passwords will expire every 180 days.
  • Passwords must be changed immediately in the event an account is compromised.
  • Passwords used at Milligan should be unique; they should never be used for any other system.
  • Password management tools can be utilized to help meet these requirements. Please contact IT for assistance with configuring a password management tool.