Tulane University Password Policy

This policy establishes conditions for use of, and requirements for appropriate security for Tulane University accounts. These requirements are necessary to help ensure personal security and protect The University’s information systems resources.

1  Purpose

This policy establishes conditions for use of, and requirements for appropriate security for Tulane University accounts. These requirements are necessary to help ensure personal security and protect The University’s information systems resources.

Your password functions as a "key" that enables you to access the University's many electronic resources. This is the private part of your digital identity. You should protect and guard your password as you would your personal bank card and PIN. The Tulane Account provides access to a wide range of Tulane Internet services such as e-mail, myTulane, Library resources, E-Academy, secured Web sites, VPN, and Tulane-access computing labs. You may need additional University accounts for other services, including access to systems such as TAMS, SIS, and Datastore.

Also, these password security principles constitute best practices for the use and access of third-party accounts and systems integral to work and/or education at Tulane.

2  Scope

This policy applies to every person using a Tulane Account at any time or location. This includes all students, faculty, staff, alumni, retirees, and other University affiliates (including contractors and vendors with access to Tulane University systems).

3  Policy Statements

 3.1  General

  • Passwords for newly activated Tulane Accounts must be changed at first use. This ensures that only the person who has been assigned the account knows the password.
  • Tulane Account passwords will expire once every 180 days.
  • Old passwords cannot be reused for 365 days. You are encouraged to avoid reusing old passwords, at all, if possible. See Guidelines on Passwords for tips on creating a strong password that is easy to remember but hard to “crack.”

 3.2  Individual Responsibility

  • Create a strong password; see Guidelines on Passwords.
  • Change your password at least once every 180 days, or more frequently as needed. You are responsible for changing your password before it expires, to avoid disruption of access to Tulane services. See Password Expiration below for additional details.
  • Safeguard the password. You should not write down or store the password on paper or on a computer system where others might acquire it. See Password Protection Standards in the Guidelines on Passwords document for additional guidelines.
  • Never share the password, even with a best friend, roommate, or relative.
  • Reserve the Tulane Account User ID and password for Tulane University systems and services only. You should create a different username and password for external services such as stores, banks, music services, Websites, personally owned computers, or other systems.
  • Any use of the Tulane Account is assumed to be performed by the person assigned to that account. You are responsible for all activities associated with your account.

 3.3  Password Expiration

  • You are encouraged to change your password before it expires, in order to avoid disruption of access to University services. Passwords can be changed at password.tulane.edu. At the first access, you must provide two security questions.
  • Two weeks before the password expires, an e-mail notification of the expiration date will be sent to you. This e-mail notification will be sent daily until the password is changed or expires. If the password has not been changed by the expiration date, the account will be locked.
  • If you allow your password to expire you will need the correct answers to the two security questions to unlock the account. If the answers to the security questions are incorrect, you must contact the Help Desk to reinstate your Tulane Account access.
  • Your password should be changed immediately if you believe that it has been compromised (for example, if there is a possibility that another person may have viewed or acquired the password).

 3.4  Access to Accounts

Tulane accounts for faculty and staff who disengage from the University should be deactivated with the following exceptions:

  • Email accounts and LDAP access for the Gibson portal for staff should be maintained for one month
  • Email accounts and LDAP access for the Gibson portal for faculty should be maintained for one year

4  Further Information

If you believe that your account or password has been compromised, change the password for the affected account. If your account has been compromised or you require more information, contact the Information Security Office at security@tulane.edu or (504) 988-8500.