These guidelines specify NIU-N account and password usage requirements. Please see the Acceptable Use Guidelines for the definition of NIU-N.
An NIU-N account is both a part of, and a key to, resources encompassed by NIU-N, and is covered by the Acceptable Use Guidelines. The granting of an NIU-N account is a privilege that carries with it numerous responsibilities, not the least of which is maintaining the security of NIU-N.
These guidelines apply to all NIU-N accounts. This includes but is not limited to
It is prohibited to use a default login and password combination with any application, system, or service. All default credentials delivered with an application, software, system, or service must be changed from the default, and must meet the elevated credential password requirements as described below.
It is prohibited to re-use any password that provides access to any NIU-N account or resource, with any other account, system, service, or resource which requires authentication different from an individual’s official NIU-N account. This includes systems, applications, or services used for work duties or any personally consumed online services, applications, or games.
It is prohibited for third party vendors, third party support, or contractors to have direct unsupervised access to NIU-N. All third-party access to NIU-N resources must be supervised by the employee responsible for the resource unless the entire resource resides outside of the NIU-N campus network and contains only public NIU data, or no NIU data.
In all cases where access or permissions are assigned to accounts for access to applications, data, or services, the minimum necessary permissions to achieve necessary outcomes should be assigned.
All accounts must follow the minimum password complexity requirements defined by NIU DoIT and found at password.niu.edu.
Passwordless authentication such as certificate, authenticator app, or biometric based authentication is permitted where supported, and in certain cases preferred.
All accounts assigned to individuals must have multifactor authentication enabled, configured, and enforced for use on NIU-N systems that contain non-public data. Use of the Microsoft Authenticator app for MFA is strongly recommended and may be required in certain instances.
A student who is also an employee, or an employee who is also a student, will receive a Z-ID and an A-ID. That individual must use a different password for each account. The employee account is intended to be used exclusively for employment duties.
An employee may have certain job duties that require elevated permissions in an application or system for administrative or system management purposes. Authentication to those systems should be integrated with NIU DoIT’s central authentication, and those employees must be assigned a separate administrative account that is only to be used for system administration or management functions. That elevated account must have a different password from their normal user account and requires stricter password and account controls than NIU’s minimum requirements as defined by NIU DoIT.
An employee may have certain job duties that fall under regulatory controls requiring the use of a separate account strictly for those regulatory duties. Those employees must be assigned a separate account that is only to be used for those regulatory duties, and that account must have a different password from their normal user account and may require stricter password and account controls than NIU’s minimum requirements as defined by NIU DoIT.
All categories of “built in” local administration accounts, application, service, or automation accounts must have a password that is unique from any other NIU account and requires stricter password and account controls than NIU’s minimum requirements as defined by NIU DoIT. Those accounts should be integrated with NIU DoIT’s central authentication and account management where possible and are not intended for direct employee use. Use of tools like Local Administrator Password Solution (LAPS), or use of managed service accounts or group managed service accounts shall be used when possible, for these types of accounts.