July 22, 2009 (rewrite)
A. General. University of Idaho (UI) electronic communications systems or services must identify users and authorize access by means of a password, passphrase, or other secure authentication process. One of the most common methods attackers use to guess passwords is known as a "brute force" attack. In such an attack, the attacker systematically tries possible passwords until he/she manages to break into an account. Attackers frequently use dictionary files to generate lists of possible passwords and letter/number combinations. Having a strong password or long passphrase greatly increases the security of a system. This policy sets out the password requirements and standards for the UI.
B. Account Types. ITS acknowledges three types of accounts:
B-1. Personal: password is known by a single individual for traditional access to computing resources including computer logon, e-mail, VPN, Banner, and other UI services
B-2. Shared: password is known by one or more users and utilized interactively for system logon. Shared accounts shall not be created when another method of access is available
B-3. Functional: password may be accessible by multiple users, but are typically used only "behind the scenes" by applications and processes and are not recommended for most uses
C. Password/Passphrase Requirements. Where possible, the UI recommends using a passphrase (C-2 below) instead of the traditional password described in C-1. For systems incapable of storing passphrases use a strong password (see D-1 below).
C-1. Passwords: Traditional Personal and Shared Passwords are 8-14 characters in length. Functional passwords are at least 30 characters in length and are recommended to be significantly longer. Choosing passwords that are easy to remember but hard for an attacker to guess will significantly improve the security of your computer and data. When passwords are used they must meet the following requirements:
(a) Personal and Group passwords must be at least 8 characters long
b) Functional passwords must be at least 30 characters and are recommended to be significantly longer, up to the maximum length allowed by the system/application being interfaced with
(c) A password must contain characters from three of the following categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Numeric digits (0 through 9)
- Non-alphanumeric characters (e.g., !, $, #, %)
(d) Passwords must not contain recognizable portions of your name
(e) Passwords 8 to 14 characters in length must not contain words found in common dictionaries unless the spelling is significantly altered
(f) Passwords 8 to 14 characters in length must be changed every 90 days. Passwords/Passphrases containing 15 or more characters must be changed every 400 days
(g) Passwords for all ITS-supported services can easily be synchronized and changed by the user through the account management program at ITS Support
(h) All passwords should be securely stored and protected (e.g., no sticky notes on the monitor or stored near the computer, etc.). The use of encrypted electronic password "wallets" (eWallet, Password Safe, etc.) are encouraged.
Note: Requirements a – g above do not apply when changing a Banner password. For assistance with these, contact the Registrar’s Office or the ITS Help Desk.
C-2. Passphrase: Passphrases are at least 15 characters in length and must use three of the four characteristics listed in section C-1(c) above. A passphrase is like a password but may contain spaces between words so a meaningful sentence can be formed. Do not use common phrases like advertising slogans, song lyrics or titles, or other easily guessed word combinations. Passphrases must be changed every 400 days.
Examples of passphrases:
- I will graduate in 2050, Go Vandals!
- My dog is also a "Vandal"
Benefits of passphrases:
- easier to remember
- they are longer than traditional passwords making them less vulnerable to attack
- longer time interval between changes
- Passphrases will not be subject to the dictionary password check.
C-3. Shared-access systems: Administrators of shared-access systems must enforce the requirements in C-1 above (whenever possible) in addition to the following:
(a) They must require that users change any pre-assigned passwords immediately upon initial access to the account
(b) They must modify all default passwords for access to devices, and where possible and appropriate:
- configure devices with separate accounts for privileged access (e.g., administrator and root) and unprivileged access (standard user);
- authenticate users with an unprivileged account rather than a privileged account;
- insecure password storage and communication methods, such as the Microsoft "LAN manager hash" must be disabled on all devices;
Note: privileged access should occur through a privilege escalation mechanism which allows the log to show which user was granted additional privileges; and, should only be granted for as long as necessary to complete the task which requires additional privileges.
D-1. Strong Password. If a system will not accept passphrases (as defined above), a strong traditional password should be used. The following are tips on selecting strong passwords which are easy to remember:
Think up a phrase, part of a book, poem, or song and use part of it to form a memorable password. Then use hard-to-guess combinations of letters, numbers, upper/lower case, and symbols (Note: The more diverse characters in a password, the more difficult it is to guess).
- "Only 75 more days until I graduate from UI!" would be (O75mduIgfUI!)
- "All of Idaho is divided into 2 main regions" would be "AoIidi2mr"
- Think up pronounceable, non-dictionary combinations of letters, and then separate them with punctuation characters and numbers. For example: Har%vee8! (Harvey ate!!") or Shee=nosYoo2? (She knows you too?)
D-2. Password/Passphrase Management.
(a) All passwords/passphrases (passwords) are confidential university information
(b) Each user is responsible for the security of his or her passwords, and accountable for any misuse resulting from the user’s irresponsibility
(c) Users will not share their passwords with anyone, including supervisors, administrative assistants, secretaries, or technology service providers. It is against university policy for an ITS employee or technology service provider to request a user’s passwords. If someone demands a password, refer him or her to this document or have them call the UI Information Technology Security Officer – ITS
(d) Users shall not use the same passwords for UI accounts as for other non-UI access (e.g., personal Internet service provider (ISP) accounts, free online e-mail accounts, instant messaging accounts, other online services, etc.). This will limit exposure if any of the user’s passwords are compromised
(e) Users shall not store passwords within applications or use the "Remember Password" feature (e.g., Firefox, Internet Explorer, etc.) for passwords for UI accounts. These features typically do not adequately protect passwords, and it may be possible for a computer virus or unauthorized user to gain access to this information
(f) Users should not write passwords down or store them anywhere in your office. Nor should users store passwords in a file on any computer system (including PDAs, phones or similar devices) without using strong encryption
(g) Failed login attempts are tracked and a user’s account is temporarily locked out after an excessive number of unsuccessful attempts. If a user suspects their account has been compromised, he or she must report the incident to the ITS Information Technology Security Officer and change their password immediately
(h) In the case of functional or shared accounts, if the owner or sponsor leaves the University ownership must be transferred to the supervisor or the supervisor-designated replacement. Continued access to a group or functional account is subject to annual review by stakeholders and/or managers of the systems accessible by said accounts
(i) Passwords for any account must be changed when ownership is transferred.
E. Compliance. ITS will advise the appropriate unit manager of any non-compliance with this policy. Unit management shall be responsible for following up with any non-compliance and shall initiate disciplinary action for such non-compliance, where appropriate.