Password Policy

---

Does this policy replace the existing Strong Password Requirement Policy? (link)

Sharing ETSU passwords or login credentials with others is prohibited.

This may not be the appropriate place to direct this question, but is it worth spelling out here that individuals must not misrepresent themselves as the student so as to create and/or edit a password? (Ex: family member setting up student's account rather than the student setting it up for themself)

---

Thank you for the opportunity to comment on the proposed password policy.

Policy Name
In keeping with NIST SP 800-63B Revision 4 Authentication and Authenticator Management, perhaps the policy should be renamed to reflect a broader role in authenticating users and management of the authentication systems.

Inclusion of Multifactor Authentication Requirements
Additionally, perhaps the policy should include requirements for multifactor authenitcation (MFA), which third-party apps are acceptable for ETSU, security requirements for personal devices used for MFA and reporting requirements (if any) for ETSU persons whose personal devices that are used for MFA are compromised, lost or stolen.

Section 1
The statement that "Users must create unique passords or passphrases for each system or account" is contradicted by the wide spread use of single-sign-on (SSO) across a number of university systems, so that a single password is used for GoldLink, ETSU email, signing on to ETSU issued computers, etc. I greatly appreciate the benefit of SSO, and wish it was available for all university systems, but the result is a single password used across these systems. It would also improve the user experience if all university systems had the same username requirements (some require your username, some your username@etsu.edu email and some accept your username@mail.etsu.edu email (ETSU Dropbox).

Using "should not" in this section is perhaps not sufficiently rigorours to prevent using any or all of the items include in the list. Should is just a suggestion while "may not" or "shall not" are requirements.
NIST NIST SP 800-63B Revision 4 also specifies minimum password length of 15 characters (for single factor authentication), maximums of at least 64 characters, and not have composition rules.

For 1.1.2, use of long passphrases are useful to prevent brute force attacks, but exclusion of any dictionary words from passphrases rather than the password being a single dictionary word, may discourage the use of longer passphrases. For example, "The yellow bird crawls to the grocery flag." has every word a dictionary word. but the nonsense combination makes it resistant for attack, but its use of real words makes it easier for a human to use correctly.

Section 2.2
While the intent seems clear, taken literally, it would prevent the use of password managers that are encouraged in Section 2.8. All password managers that I am familiar with, have a mechanism that allows the display of the stored password in plain text so that the user can visually confirm the password. This would prevent manager use since users "must not store password hints or descriptions on websites, devices or files that could reveal the password..."

Section 2.8
I agree that password managers should be strongly encouraged and used, but this section is in conflict with the proposed Acceptable Use of Information Technology Resources policy, in that ETSU does not currently have a list of acceptable password managers, or one that is part of the standard software installation. This would then require every user to obtain permission from ITS to install a manager on their university device at the person's own expense with all the required effort and paperwork to install a non-standard application. It seems likely that this would discourage or even prevent a lot people from using password managers.

---

Thank you to Information Technology Services for preparing this proposed policy update. Establishing a clear authentication policy is an important component of protecting university systems, research data, student records, and financial systems.

Because authentication policies are frequently reviewed by cybersecurity auditors and regulators in the event of a security incident, it is important that the policy align closely with current industry frameworks such as the National Institute of Standards and Technology (NIST) Digital Identity Guidelines (SP 800-63B) and contemporary authentication architecture.

After reviewing the proposed policy, I offer the following comments to strengthen alignment with current cybersecurity standards and the National Institute of Standards and Technology (NIST) Digital Identity Guidelines, particularly NIST SP 800-63B, which has significantly reshaped password policy best practices over the past several years.

Policy Name

Given that contemporary security frameworks focus on authentication architecture rather than password rules alone, the University may wish to consider whether the title ‘Authentication Policy’ more accurately reflects the layered controls now used to protect institutional systems

Explicit recognition of multi-factor authentication (MFA)

The proposed policy focuses primarily on password construction and handling but does not reference multi-factor authentication. Current cybersecurity frameworks widely recognize MFA as the single most effective control for preventing unauthorized access resulting from phishing, credential stuffing, password spraying, and other credential-based attacks.

Modern authentication policy generally treats passwords as only the first factor in a layered authentication model. NIST guidance, the CIS Critical Security Controls, and higher-education cybersecurity frameworks increasingly assume MFA protection for employee accounts, privileged accounts, remote access, and systems containing sensitive data.

For this reason, the policy should explicitly acknowledge the role of MFA within ETSU’s authentication architecture. A short section stating that the University may require multi-factor authentication for faculty, staff, privileged accounts, remote access, and systems containing sensitive institutional data would align the policy with current security practice and reduce institutional exposure to credential-based attacks.

The policy may also wish to clarify that ETSU’s authentication architecture incorporates layered controls consistent with recognized cybersecurity frameworks (such as NIST SP 800-63B), including multi-factor authentication, compromised-credential screening, and risk-based authentication controls.

Password length and passphrase guidance

The draft policy does not currently specify minimum password length requirements. NIST SP 800-63B places primary emphasis on password length and entropy rather than character complexity rules.

Modern best practice is to allow and encourage longer passphrases (e.g., 12–16+ characters) rather than focusing on composition requirements such as special characters or forced substitutions.

The policy would be strengthened by specifying a minimum password or passphrase length and by explicitly supporting longer passphrases.

Example language that would align with current NIST guidance:

“Passwords or passphrases must contain a minimum of twelve (12) characters. Systems should allow passwords of at least sixty-four (64) characters to support longer passphrases.”

Alignment with NIST guidance regarding dictionary words and passphrases

The draft policy discourages the use of dictionary words in passwords. This guidance reflects earlier password composition practices but does not fully align with current NIST recommendations. NIST guidance now recognizes that long passphrases composed of multiple ordinary words can be both highly secure and easier for users to remember.

Rather than discouraging dictionary words entirely, the policy may wish to encourage longer passphrases composed of multiple unrelated words. For example:

“Users are encouraged to create longer passwords or passphrases composed of multiple unrelated words rather than relying on short passwords with predictable character substitutions.”

Password compromise screening and breach-based protections

Modern authentication frameworks recommend screening new passwords against databases of known compromised credentials. This control directly addresses credential-stuffing attacks, which are now among the most common intrusion vectors against universities.

The policy may wish to reference the use of password screening or blocklists designed to prevent users from selecting passwords that have previously appeared in known data breaches.

Example language:

“ETSU systems should prevent the use of passwords that appear in known compromised credential databases or widely used password lists.”

Shared responsibility model for authentication security and institutional risk exposure

The current policy appropriately outlines user responsibilities for safeguarding credentials. However, the policy language places primary emphasis on individual user behavior rather than on the institutional security architecture that protects university systems.

Modern cybersecurity governance frameworks increasingly recognize that credential compromise is inevitable in environments exposed to large-scale phishing campaigns, credential stuffing, and automated password attacks. As a result, current best practice is to design authentication systems that reduce reliance on perfect user behavior by incorporating layered controls such as multi-factor authentication, compromised password screening, and anomaly detection.

From a legal and governance perspective, this distinction can become significant during the investigation of a security incident or data breach. In regulatory reviews and breach litigation, institutions are often evaluated based on whether they implemented reasonable, institutional-level technical safeguards consistent with recognized industry standards, rather than relying primarily on user compliance with password rules.

Policies that appear to place the burden of credential security primarily on individual users—without also acknowledging institutional responsibility for implementing appropriate authentication safeguards—can create ambiguity regarding where accountability for security architecture resides. Many institutions now explicitly incorporate a shared responsibility model in their authentication policies for this reason.

Accordingly, the policy may benefit from including a brief statement acknowledging that ETSU will implement technical authentication safeguards consistent with recognized cybersecurity frameworks in order to reduce reliance on individual user behavior alone.

Password manager usage

The policy appropriately encourages the use of password managers. Because password managers significantly improve password uniqueness and entropy, the policy may wish to clarify that reputable password management tools represent a preferred method for generating and storing credentials securely.

Governance perspective

From a governance perspective, authentication policies are increasingly evaluated not only on password rules but on the overall authentication architecture they support. As phishing, credential harvesting, and automated credential attacks continue to increase across higher education, policies that recognize layered authentication controls (such as MFA, compromised password screening, and risk-based authentication) tend to be more durable and better aligned with current cybersecurity expectations.

Incorporating brief references to these controls would help ensure that the policy reflects current threat models and remains aligned with evolving NIST guidance and industry practice.

Conclusion

The proposed policy provides a useful baseline for credential management and user awareness. The observations above are offered to help ensure that the policy remains aligned with current authentication standards, evolving threat models, and the cybersecurity frameworks that external auditors, regulators, and cyber-insurance underwriters commonly use to evaluate institutional security practices.

Incorporating these clarifications would strengthen the policy’s alignment with contemporary NIST guidance and help ensure that ETSU’s authentication governance framework accurately reflects both modern security architecture and institutional risk management expectations.

Respectfully submitted,

David A. Golden