Sorry, you need to enable JavaScript to visit this website.

Password Policy


General Terms

Password policy must be followed upon creation while observing the following rules:

·      All passwords must comply with this policy.

·      Username or password fields must not be left blank.

·      Passwords must be sufficiently strong.

·      Password management systems must be interactive and verify password quality.

·      Passwords must include all of the following:

-       Lowercase English letters.

-       Uppercase English letters.

-       Numbers.

-       Special characters (such as @#$%^&*()! +|~-=` {} []:";'<>/ etc.).

·      Weak passwords contain the following characteristics and must be avoided:

-       Less than ten (10) characters in length.

-       A word that can be found in a dictionary (Arabic or English).

-       Commonly used words such as:

§  Names of family, friends, colleagues, pets, etc.

§  Terms, names, commands, sites, companies, devices, and software related to computers.

§  Birthdays and other personal information such as addresses and phone numbers.

§  Number or word patterns such as aaabbb, qwerty, zyxwvuts, 123321, etc.

§  Reverse of the patterns above.

§  Any password mentioned above preceded or followed by a number (e.g., secret1, 1secret).

    ·       Passwords must be created in a way that makes them easy for the owner to remember and avoids writing them down. (For example, creating a password based on a statement or phrase. The phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~", etc.).

    ·      Note: None of these examples may be used as an actual password.

    ·       Temporary passwords (set by administrators of many information processing systems) must comply with this policy.

    ·       Where possible, biometric techniques should be used to spare end users from remembering long passwords.

 

Policy for Affiliates (Faculty Members and Staff) at King Saud University:

·      Passwords must not be less than 10 complex characters.

·      All inactive government employee accounts in the system will be disabled with the option "Suspended" if no login occurs within the last 6 months.

·      Accounts of contracted university employees will be disabled if no login occurs within the last 6 months, excluding resigned or terminated employees.

·      Contractor accounts will be deleted after one year if not reactivated within 6 months of being disabled.

 

 Student Password Policy:

·      Passwords must not be less than 10 complex characters.

·      Passwords must remain valid for 4 months.

·      Password complexity must meet the requirements stated in this policy.

 

Passwords must be protected by observing the following rules:

·      All passwords are considered "confidential" and must not be shared or disclosed.

·      Accounts containing system-related passwords must not be used for daily activities and should be stored in a Privileged Access Management (PAM) tool.

·      Passwords must not be written in emails or other electronic communication methods such as social media.

·      Passwords at the university must not be shared with anyone, including IT support staff, administrative assistants, secretaries, managers, team members, faculty members, family members, or others.

·      Users must not hint at the structure of their password (e.g., "My password is my family name").

·      Users must not disclose their passwords in surveys or security forms.

·      If anyone requests a user’s password, the user must refer them to this document and direct them to the General Directorate of Cybersecurity.

·      If there is suspicion of any account or password being compromised, it must be reported to the university’s General Directorate of Cybersecurity.

·      All system passwords (e.g., root accounts, network administration, application management, etc.) must be changed at least every three months.

·      All user passwords (e.g., email, web, etc.) must be changed every three months.

·      All passwords must be unique. Users are not allowed to reuse the last six (6) passwords.

·      Users must be locked out after ten (10) unsuccessful login attempts. Locked accounts can only be unlocked by the system administrator.

·      A progressive delay must be enforced after each failed authentication attempt (e.g., 5 seconds after the first failure, 10 seconds after the second, 20 seconds after the third, etc.).

·      Users must exercise extreme caution when entering passwords and ensure they are typed in the designated password field.

·      Users must be aware of common password theft methods such as phishing, social engineering, shoulder surfing, etc.

·      Users must not include passwords in any automated login processes, such as storing them in macros or function keys.

·      If a password is changed or reset and the user did not request it, they must notify the IT support team immediately.

 

 Passwords storage by rules:

·      Passwords are classified as confidential and must be protected accordingly.

·      Access to password files must be restricted, and stored passwords must be hashed and encrypted rather than stored in plain text. All data processing systems must retain a password with a predefined validity period.

·      All information systems must, where technically feasible, maintain a history of previously used passwords for each user account.

·      Passwords must not be stored in a manner that allows unauthorized viewing, such as written on desks or displayed on screens.

·      Plaintext passwords must not be included in application files, user files, file transfer settings, etc.

·      Password files must be stored separately from core application system data.

·      The "Remember Password" option in applications (e.g., Outlook) must always be disabled.

·      Privileged Access Management tools must securely store, retrieve, and manage administrative account passwords. Access to this system is restricted only to authorized system administrators.

 

Passwords change rules:

·      All data processing systems must enforce users to change their passwords after their first login.

·      System administrators must enforce users to change their passwords after a reset.

·      All data processing systems must enforce users to change their passwords periodically after a predefined period.

·      Default passwords on devices, operating systems, and applications must be changed before deployment.

·      Passwords must be changed immediately in case of a compromised user account or if data leakage is discovered or suspected, and such cases must be reported as incidents.

·      When university employees/contractors leave the university, their accounts must be deleted, or their passwords must be changed immediately.

·      If the end user wishes to change their password, they must enter their current password to verify their identity before setting a new one.

 

Passwords rules for applications:

·      Application developers must ensure their programs contain the following security precautions:

-       Applications must support individual user authentication and not group authentication.

-       Passwords must not be stored in plain text or any reversible form.

-       Applications must support the university’s password policy enforcement.

-       Task management features must be provided so that one user can take over another user’s tasks without needing to know their password.

 

Mobile Passwords rules:

·      The following minimum password standards must be applied to all King Saud University employees who use mobile services provided by the university through the Mobile Device Management (MDM) tool.


Last updated on : October 8, 2025 2:40pm