Account Password Policies and Procedures

PPD-0375

Introduction

This policy establishes password requirements for VIMS ITNS and Sectional accounts and information systems.  These requirements are necessary to help ensure personal security, protect VIMS business, research and academic interactions, and to meet security legal requirements and standards.

Passwords are often the weakest links in data and system security due to the use of weak passwords, automatic password cracking programs, and the activities of malicious hackers, spammers, and phishing schemes.  This policy provides guidance and minimum standards for creating and using passwords to maximize security.

 Scope

 This policy applies to anyone accessing systems that hold or transmit VIMS data and includes sectional and central IT accounts and resources. 

 ITNS maintains a central password and user id for all users associated with VIMS (See PPD-0374 for related information).  Where possible, all system owners shall use this central domain password resource for authentication.

All user accounts will have initial passwords assigned by ITNS.  Individuals are responsible for changing passwords following published instructions and guidelines.  In general, password strength is proportional to both length and complexity.  The following policies are adopted by ITNS and required for all passwords:

Password Standards

Individual Responsibilities

Passwords for newly activated VIMS user accounts must be created in such a manner to ensure that only the person who has been assigned the account knows the password.

Passwords should be a minimum of 10 characters.  The use of longer passwords or passphrases is recommended if the system in use supports them.  A passphrase is a longer version of a password and typically is composed of parts of multiple words.  A good passphrase also contains a combination of uppercase and lowercase letters and numeric and certain punctuation characters.

The following password complexity rules are enforced for all VIMS domain user accounts:

  1. Passwords must be a minimum of 10 characters in length.
  2. Passwords must contain at least one uppercase character, at least one lowercase character, and at least one number or symbol.
  3. Passwords must not contain the user's account name or full name, or be something simple like "Password123”.

Passwords should be protected and should not be written down and left in the user’s desk or on the user’s computer system.  Passwords should be protected as if they were personal information such as a bank account or PIN number.   

Passwords shall not be shared with anyone. Any attempt to encourage sharing your password should be reported to VIMS ITNS.  Do not use a VIMS password and username for any non-VIMS system or application.

Changing passwords each semester is a recommended best practice and is required whenever there is a reason to believe that a password has been revealed or compromised in any way.  In such cases, it is the responsibility of the user to take action to change the password or notify the system administrator to have the password changed. 

In summary, passwords should be strong and carefully protected as described by CERT ( www.cert.org ).  The above password standards should be applied to screen savers and telephone systems as well.

System Requirements

All information systems at VIMS are subject to the following policy requirements.

Initial Password Reset

All systems should require reset of the password at the time of first login.  System upgrades should consider including this feature when possible. 

Password Aging and Complexity

Systems will require resetting passwords at an appropriate frequency, but not longer than 12 months.  Where possible, systems should check for password complexity and also prevent re-use.  Passphrases are encouraged, but should meet the following minimum complexity requirement:

System Administrator and Service Passwords

 The password or passphrase is at least ten characters long.

 The password or passphrase contains characters from at least three of the following five categories:

  1. English uppercase characters (A - Z)
  2. English lowercase characters (a - z)
  3. Base 10 digits (0 - 9)
  4. Non-alphanumeric (For example: !, $, #, or %)
  5. Unicode characters

 System upgrades should consider including this feature when possible.

Automatic Lockout

Current domain password group policy temporarily locks AD account for 30 minutes after 6 failed authentication attempts within a 30 minute timeframe.

Display/Clear Text Passwords

All systems should not transmit, display or store passwords in clear text and should use encryption techniques, such as ssl and ssh.  Stored password files should be encrypted.  System upgrades should consider including this feature when possible.  

Logging of Authentication and Failure Events

System Administrators will maintain a log of system logins and failures.  Logs will be retained for a minimum period of six months.

Multi-Factor Authentication

ITNS will employ multi-factor authentication for login access to critical or sensitive information technology resources where appropriate.  These systems include, but are not limited to, email, VPN, and server resources.

Auditing and Checking

System Administrators and the Information Security Officer (ISO) should periodically request that password files be processed using password cracking tools for servers supporting information systems.  Weak passwords should be reported to the Information Security Officer (ISO).