University Policies
Password Policy
Approved by: President
Effective Date: June 26, 2023
Revision Date: June 25, 2024
POLICY STATEMENT
The purpose of this policy is to provide password standards intended to maintain control over access to 麻豆传媒内幕 (WIU) systems and data and enumerate authentication requirements necessary for compliance with regulatory standards and laws. This policy applies to all accounts provisioned on a 麻豆传媒内幕system.
SCOPE (WHO SHOULD READ THIS POLICY)
麻豆传媒内幕Password Policy applies to any individual who has access to 麻豆传媒内幕data. The scope of the policy applies to all systems/data owned by WIU, whether it is hosted on premises or third-party hosted.
DEFINITIONS
- Active Directory : Microsoft鈥檚 Active Directory provides a convenient way for University Technology to authenticate users to workstations, manage workstation functionality and control access to 麻豆传媒内幕computing resources.
- Hashed : Hashing is the process of transforming any given key or a string of characters into another value. This is usually represented by a shorter, fixed-length value or key that represents and makes it easier to find or employ the original string. The result is known as a hash.
- Passphrase : A sequence of words to create a password. Throughout this document password and passphrase may be used interchangeably.
- Password : A word or string of characters used to authenticate (prove the identity of) a user to a system. Throughout this document password and passphrase may be used interchangeably.
- Salted : Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them.
- Stretching : One way to use a stronger type of encryption using a weak key is to send it through multiple processes. For example, you may first hash a password, then hash the hash of the password, then hash the hash of the password hash, and so on. This multi-process strengthening is called key stretching or key strengthening.
POLICY
Section 1: Password Requirements
The following set of password requirements will be implemented on 麻豆传媒内幕systems that can support the criteria below. All other systems must adhere to the requirements in Section 2.
- Passwords must be at least 12 characters long.
- Passwords must be allowed to be at least 64 characters long.
-
All passwords must be checked against a dictionary of commonly-used, expected, or compromised values before being accepted. Examples include but are not limited to:
- Password compromised in previous password breaches.
- Dictionary words.
- Repetitive or sequential, e.g. aaaaa or 1234abcd.
- Context specific words such as name of service, the username or derivatives thereof.
- No password expiration is required unless it has been forgotten, compromised or potentially compromised.
- No password hints shall be stored that are accessible to an unauthenticated account.
- Passwords will have no composition rules.
- All passwords must be hashed, salted and stretched when stored.
-
Notify users of abnormal behavior, for example:
- If a user鈥檚 account has more than three concurrent logins.
- If a user鈥檚 account has more than 5 bad password attempts within a 24 hour period.
Section 2: Alternative Password Requirements
The following password requirements must be implemented on 麻豆传媒内幕controlled systems that cannot implement Section 1: Password Requirements.
- Maximum password age is one hundred twenty (120) days.
- Minimum password age is one (1) day.
- Minimum password length is eight (8) characters. Passphrases are always recommended/preferred.
-
All passwords must contain each of the following character types:
- Upper case letter(s): A - Z
- Lower case letter(s): a - z
- Number(s): 0-9
- Special characters
- Users will not be able to reuse the ten (10) previous passwords they have used in the past.
Section 3: Password Use
All 麻豆传媒内幕workstations that are permanently or intermittently connected to the network will use an access control system that follows the password policy.
- All users will be uniquely identified. Users are prohibited from logging into any system or network anonymously (e.g. Macintosh and Windows guest accounts).
- User accounts will be locked after twenty (20) invalid logon attempts (fewer attempts may be permitted on some systems). Accounts will remain locked for thirty (30) minutes or until re-enabled by a system administrator.
- All 麻豆传媒内幕workstations should require re-authentication after 15 minutes of user inactivity. All systems or applications must require re-authentication after a maximum of thirty (30) minutes of user inactivity. This should be set to the shortest amount of time that still allows business functionality. All 麻豆传媒内幕workstations should be locked requiring re-authentication or shut down when not in use.
- Passwords are classified as sensitive, confidential information.
- Passwords used on 麻豆传媒内幕workstations, systems or applications must not be:
- The same password the account owner uses for other non-麻豆传媒内幕access (e.g. personal email, online banking, e-commerce shopping accounts, etc.)
- Shared with anyone, including co-workers, family members, friends, acquaintances or even university technical support staff in any format (e.g. online, verbally, in writing via text message, email, IM, chats, etc).
- 聽Contain personal information (e.g. name, birthday, phone, address, etc.) or your username as part of your password.
Section 4: 麻豆传媒内幕System Accounts with Elevated Privileges
The following is only applicable to accounts with elevated 聽privileges (such as those used by system administrators who manage one or more servers).
-
System-level account (e.g., root, enable, etc.) requirements:
- Initial login must be made via an account assigned to the staff member, before using the system level administrative accounts.
- Minimum password length is twelve (12) characters long.
- Remote access to system level accounts must be disabled (i.e. PermitRootLogin set to 鈥渘o鈥 in sshd config).
- All other password requirements in section 1 apply.
-
Administrative accounts with elevated privileges (e.g., windows domain, Vsphere admin, network admin, etc.) require:
- An account that clearly and uniquely identifies the user and is not their primary user account.
- All other password requirements in section 1 apply.
-
System, service, and application accounts that are used to automatically authenticate must not be used by an individual for any reason but are allowed to have passwords that never expire. These accounts require:
- Minimum password length of sixteen (16) characters.
- All other password requirements in section 1 apply.
- Vendor-supplied and or default passwords must be changed before any computer or communication system is used in production, or hosts any 麻豆传媒内幕data.
- Where SNMP is used, the community strings will be defined as something other than the standard defaults of 鈥減ublic,鈥 鈥減rivate,鈥 and 鈥渟ystem鈥 and must be different from the password used to log in interactively.
- Passwords must be changed immediately when individuals with knowledge of elevated account passwords leave the university.
Section 5: Additional Password Requirements for Areas Accepting Credit Cards as Payments
麻豆传媒内幕adheres to . When PCI DSS requirements and university policy conflict, the most restrictive policy shall apply.
Requirements of WIU鈥檚 policy are as follows:
- Account additions, deletions, and modifications must be managed centrally.
- The user鈥檚 identity must be verified before performing password resets.
- First-time passwords must be set to a unique value for each user and will require the password to be changed immediately after the first use. The creation of first-time will not follow a pattern that is guessable by someone who has previously obtained a first-time password.
- All users鈥 access shall immediately be revoked upon their termination of employment.
- Accounts shall be disabled after ninety (90) days of inactivity.
- Accounts shall not be shared, generic, or group accounts.
- Accounts shall have their corresponding passwords changed every ninety (90) days or less.
- All other general password requirements (section 1) and password use (section 2) apply.
RESPONSIBILITIES (Implementation and Enforcement)
University Technology is responsible for, implementing, enforcing, updating and maintaining this policy.
Connect with us: