The sharing of usernames/passwords is prohibited by other sections of policy.  However, there may be special circumstances where shared usernames/passwords are desirable. Each situation where there may be a need for a generic account will be evaluated on a case-by-case basis. Such exceptions may be approved by the Associate Director of Technical Services when deemed appropriate, security is manageable, and the following considerations have been included in the evaluation for creating a generic account. The evaluation process will begin with the submission of a request to Information Systems.  Generic accounts be used only for special situations (e.g., testing of potential students, access to labs by continuing education students) when the users do not otherwise qualify for a Northwestern account.

• Generic accounts shall only be enabled during those periods when specifically required (e.g., Freshman Connection or a lab session).
• Generic accounts will be restricted to certain physical locations as indicated by the requester.
• The user has requested a generic account with a shared username/password to include a justification for such an account and the location where the account is to be used.
• The Associate Director of Technical Services has, after consultation with appropriate Information Systems staff, determined the use of an account with a sharedusername /password will not introduce a security risk given its intended use when proper technical controls and procedures are implemented and followed.
• The following applies to passwords for generic accounts:
  • Passwords may only be created and changed by the Information Systems System Administrator.
  • Passwords must be a minimum of eight characters.
  • Password must be changed at least annually.
  • Passwords shall be changed as a result of the user requesting the System Administrator to make such a change.

• Information Systems has advised the user in writing of the necessary procedures to follow regarding the use of the shared account.
• Specific procedures (activation/deactivation, password changes, any physical security safeguards, software controls, etc.) have been developed for the requested generic account.
•  The requesting user has agreed in writing to follow the specified procedures.
• Where appropriate, Information Systems will make a special program available to the managers of certain generic accounts to allow them to enable/disable such accounts. As a precautionary measure, this program shall automatically disable all generic accounts each night.
• Pre-existing generic accounts must comply with the provisions of this policy to include the user submitting a request for the generic account.