Capital College --- Password guideline – CL-PWD

 

1.0 Purpose
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the Capital College's computer network a network with over 1000 connected machines.   As such, all Capital College employees (including contractors, temporary personnel, and vendors with access to Capital College systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The purpose of this guideline is to establish standards for creation of strong passwords, the protection of those passwords, and the frequency of change. 

The policy here is developed for Penn State Harrisburg but the overall University Policy AD20 (Computer and Network Security) applies.

2.0  Scope
The scope of this guideline includes all personnel who have or are responsible for an account (or any form of data communications access) on any system that resides at any Capital College facility, has access to the Capital College network through local or remote connectivity, or stores any non-public Capital College information.

Guideline 

3.0  General

·     All system-level passwords for IIT maintained systems (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a semester basis.   This change will be announced by the Manager, Network and Information Systems in IIT or their designate.  The change will be announced randomly.

·     All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every ninety days.  The recommended change interval is every ninety days.

·     User accounts that have system-level privileges granted through group memberships or programs such as "sudo" under UNIX, or “Run As” under Windows must have a password different from passwords used with any other accounts held by that user.

·     Passwords must not be inserted into email messages or other forms of electronic communication and are not given out over the telephone.

·     Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).

·     All user-level and system-level passwords must conform to the guidelines described below. 

4.0  General Password Construction Guidelines

 

a)    Passwords are used for various purposes at the Capital College. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.

b)    Poor, weak passwords have the following characteristics:

i)     The password contains less than six characters

ii)    The password is a word found in a dictionary (English or foreign)

iii)   The password is a common usage word such as:

iv)   Names of family, pets, friends, co-workers, fantasy characters, etc.

v)    The user’s ID, or subset thereof.

vi)   Computer terms and names, commands, sites, companies, hardware, software.

vii) The words "Capital College", "COE", "<Department Name>" or any derivation.

viii)        Birthdays and other personal information such as addresses and phone numbers.

ix)   Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.

x)    Any of the above spelled backwards.

xi)   Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

c)    Strong passwords have the following characteristics.  They:

i)     Contain at least three of the following four character groups:

ii)    upper case English characters (e.g., A-Z)

iii)   lower case English characters (e.g., a-z)

iv)   non alpha numeric characters (e.g.!@#$%^&*()_+|~-=\`{}[]:";'<>?,./) )

v)    numerical characters (e.g., 0-9)

vi)   Have the additional following characteristics:

vii) at least six alphanumeric characters long

viii)        not your full name

ix)   your network account, your full name,etc.

x)    have not been used in the previous 5 passwords

xi)   must not have been changed in the previous 0 days

xii) Currently non alpha numeric characters are not supported at www.work.psu.edu.  Non alpha numeric characters are supported on the Capital College Local Area Network

d)    Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

i)     NOTE: Do not use either of these examples as passwords!

e)    Users of local area network accounts will be unable to log in after the sixth failed attempt.  The account will automatically lock out.  Call IIT E-302 Olmsted to have the account unlocked.

5.0  Forgotten Passwords

The Pennsylvania State University takes password protection very seriously.  It is imperative that IIT can verify that you, the student, faculty or staff member are who you say you are.  With that in mind:

a)        For all computer accounts at the Capital College, the following services are offered:

·         For Local Area Network Passwords -- Call IIT and have the password reset.  The password will be reset to the original.

·         For Access ID Passwords www.work.psu.edu – visit the helpdesk or call IIT.  The operator on duty will reset the password to the original.  The reset takes effect immediately.  The original password can be obtained at a signature station if you have forgotten it, or, if you come to E-302, Terry Majzlik or Toni Moore can see the original password.

·         If the Digital Identity Management System shows that you have not been to a signature station (this could be the case where a faculty or staff member applied for their access account on paper) you will be asked to visit a signature station

·         Passwords are not given out over the phone.

6.0  Password Protection Standards
 

a)  Do not use the same password for Capital College accounts as for other non Capital College access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various Capital College access needs. For example, select one password for your Penn State account and another for a non Penn State account such as TIAA-CREF.

b)  Do not share Capital College passwords with anyone.  All passwords are to be treated as sensitive, confidential Capital College information.  You are responsible for safeguarding your password.

7.0  Here is a list of "don'ts" and “do's”.

·         Don't reveal a password over the phone to ANYONE

·         Don't reveal a password in an email message

·         Don't reveal a password to the boss

·         Don't talk about a password in front of others

·         Don't hint at the format of a password (e.g., "my family name")

·         Don't reveal a password on questionnaires or security forms

·         Don't share a password with family members

·         Don't reveal a password to co-workers while on vacation

·         Don't share a password with any other employees.

·         Don't use the "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger).

·         Don't store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

·         Do change passwords at least once every ninety days (except system-level passwords which must be changed quarterly).   The recommended change interval is every four months.  [review with Terry]

·         Do report a compromised or suspected compromised account or password to IIT and change all passwords.

 

a)   Password cracking or guessing may be performed on a periodic or random basis by the University Security Operations and Services (SOS) office during a scan requested by IIT  or SOS.  If a password is guessed or cracked during one of these scans, the user will be required to change their password.

 

b)   If someone demands a password, refer them to this document or have them call IIT or University Security Operations and Services, a division of Information Technology Services.

 

 

8.0  Application Development Standards

a)      Internal application developers must ensure their programs contain the following security precautions. Applications:

·         should support authentication of individual users, not groups.

·         should not store passwords in clear text or in any easily reversible form

·        should provide for role management, such that one user can take over the functions of another without having to know the   other's password

·         should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.

 

9.0  Use of Passwords and Passphrases for Remote Access Users
Access to the Capital College Networks via remote access is to be encrypted traffic, established using either a one-time password authentication or a public/private key system with a strong passphrase. A VPN is an example of a public/private key system.

 

10.0          Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access. Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks." 

a)      A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: "The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

b)      All of the rules above that apply to passwords apply to passphrases.

 

11.0          Enforcement

Any employee found to have violated this guideline may be subject to disciplinary action by their Administrative unit, the College, or the University.  Individuals may be subject to all the sanctions spelled out in AD20, to include expulsion for students or termination for employees and that civil or criminal action may be pursued. 

12.0          Definitions

Minimum Password age – a feature of Windows 2000 that is used to prevent users from cycling through to their favorite password.

System Level Password – a password that resides on a file server

User Level Password – a password that resides on a PC or handheld device

 

Revision History 6 March 2004, 28 July 2005, ryb2

OFFICIAL APPROVAL:  1-17-08 MSK5