Home > About > Policies and guidelines > Password policy

Password policy

Effective date of the policy:

9 December 2015

Last updated:

19 November 2015

Policy owner:

Executive Director: Information and Communication Technology Services

Policy approved by:

Senior Executive Council (SEC)

Reviewed by: University Information and Communication Technology Committee
Enquires: Director Technical Support Services


Table of contents



The accepted academic principle that information should be shared is founded upon the fact that information is a unique resource that increases rather than dissipates when it is used. However, this principle must be tempered by the fact that access to University of Cape Town's information carries with it the responsibility to protect privacy, confidentiality, and integrity. Passwords are the first line of protection against unauthorised access and use of information systems.

Unauthorised access to the University's information or systems has been identified as a major information security risk that must be proactively managed. 

Access to our IT resources by unauthorised persons or computer processes can result in:

  • the University's sensitive information (personal, both staff and students; research; financial) being compromised;
  • non-compliance to legal and regulatory requirements;
  • prosecution through non-adherence to legislation; and
  • adverse impact on the University’s image and reputation.


The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.



"a phrase used as a password, esp. for a computer." (OED)


"Simple Network Management Protocol (SNMP) is a protocol for network management used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network".(Microsoft TechNet)

Data steward Stewards of institutional data have the primary administrative and management responsibilities for segments of institutional data within their functional area.


Applicable to

This policy applies to all persons who have, or are responsible for, an account (or any form of access that supports or requires a password) on any system that resides at any University of Cape Town (UCT) facility, and/or has access to the UCT network, and/or stores any non-public UCT information.


The following exceptions apply: None

Policy summary
  1. Two security levels apply to the University of Cape Town Electronic Communication Systems (ECS).
  2. Password-based authentication credentials by default do not expire.
  3. All system authentication credentials assigned to users are for their own personal use and must not be shared or disclosed to any third party, staff member, or student.
  4. A user is responsible for changing their password and notifying ICTS if they suspect the authentication credentials have been compromised.
  5. Data stewards and system owners are to determine the appropriate level of security for the systems for which they are responsible.
  6. All users of University information systems must abide by the minimum password protection standards outlined for password creation.

Policy details


Policy violations

Violations of this policy will be handled in accordance with UCT procedures established for staff or student discipline.