Password Policy

Version: 1.00Issue Date: 9/8/2014

1.0 Overview

All employees and personnel that have access to organizational computer systems must adhere to the password policies defined below in order to protect the security of the network, protect data integrity, and protect computer systems.

2.0 Purpose

This password policy is designed to protect the organizational resources on the network by requiring strong passwords along with protection of these passwords, and establishing a minimum time between changes to passwords. The purpose of this password policy is to protect organizational resources by requiring the use of strong passwords and establish measures to protect accounts and passwords by establishing account lockout policies and password expiration and retention policies.

3.0 Scope

This password policy applies to any person who has access to organizational resources whether they are permanent, temporary, or part time staff members and includes all external persons who access organizational resources including consultants, contractors, vendors, and any volunteers. This password policy applies to all types of accounts including administrator accounts, email accounts, network accounts, and local accounts. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Terms

  • Multi-factor authentication - Authentication can use three types of items which are:
    • Something the user knows.
    • Something the user has.
    • Something the user is.
    Multifactor authentication would use two or three of the above types of items.
  • Public key cryptography - A form of cryptography which uses both a publically available key and a key that is kept private. If data is encrypted with the public key, only the private key can be used to encrypt it. If the data is encrypted with a private key, the public key can be used to decrypt it.
  • Password - Passwords are a method of identifying a user using something they know. Passwords are normally 8 or more characters in length and to be secure may have minimum complexity rules requiring several types of characters to be used in the password such as lower case letters, upper case letters, numbers, and special characters.
  • Pass phrase - A pass phrase is used in much the same way as a password to identify users but is generally much longer and normally considered a more authentication mechanism than passwords since more characters would be harder to crack.
  • Biometrics - Biometrics is a possible method of user authentication that uses something that the user is to determine the user identity. This may include a retinal scan, fingerprint, or facial features.

5.0 Password Use Rules

  • Never send passwords through email or in other forms of electronic communication without encryption.
  • Never send your password through email or any electronic media since even an encrypted password may be decrypted and compromised.
  • Never write passwords down.
  • Never include a password in a non-encrypted stored document.
  • Never tell anyone your password.
  • Never reveal your password over the telephone.
  • Never hint at the format of your password.
  • Never reveal or hint at your password on a form on the internet.

6.0 Password Protection

  1. Never use the "Remember Password" feature of application programs such as Internet Explorer, your email program, or any other program.
  2. Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http://
  3. Report any suspician of your password being broken to your IT computer security office and/or help desk.
  4. If anyone asks for your password, refer them to your IT computer security office.
  5. Don't use common acronyms as part of your password.
  6. Don't use common words or reverse spelling of words in part of your password.
  7. Don't use names of people or places as part of your password.
  8. Don't use part of your login name in your password.
  9. Don't use parts of numbers easily remembered such as phone numbers, social security numbers, or street addresses.
  10. Don't use word or number patterns for parts of passwords like abcdefg, 123456, zxcvbnm, 654321, or zzxxyyww.
  11. Be careful about letting someone see you type your password.
  12. User accounts and passwords must be unique to one person and more than one person shall not be allowed to share a single account. No one with an organizational password may share their password or account information with another person.
  13. Do not use the same password for organizational accounts that you use for external accounts such as external email accounts, passwords for ISP accounts, and other internet web site accounts.
  14. Be aware that passwords stored on handheld devices and computers unencrypted are very vulnerable and are easily compromised. Even passwords stored in a reversible encrypted format can be cracked.

The organization may periodically check user passwords to determine how strong they are either using in house staff or external parties at its discretion. The user will be required to change their password if the password is determined to be too weak.

7.0 Password Requirements (subject to change)

Those setting password requirements must remember that making the password rules too difficult may actually decrease security if users decide the rules are impossible or too difficult to meet. If passwords are changed too often, users may tend to write them down or make their password a variant of an old password which an attacker with the old password could guess. The following password requirements will be set by the IT security department:

  1. Minimum Length - 8 characters recommended
  2. Maximum Length - 14 characters
  3. Minimum complexity - No dictionary words included. Passwords should use three of four of the following four types of characters:
    1. Lowercase
    2. Uppercase
    3. Numbers
    4. Special characters such as !@#$%^&*(){}[]
  4. Passwords are case sensitive and the user name or login ID is not case sensitive.
  5. Password history - Require a number of unique passwords before an old password may be reused. This number should be no less than 24.
  6. Maximum password age - 60 days
  7. Minimum password age - 2 days
  8. Store passwords using reversible encryption - This should not be done without special authorization by the IT department since it would reduce the security of the user's password.
  9. Account lockout threshold - 4 failed login attempts
  10. Reset account lockout after - The time it takes between bad login attempts before the count of bad login attempts is cleared. The recommended value as of the date of writing this article is 20 minutes. This means if there are three bad attempts in 20 minutes, the account would be locked.
  11. Account lockout duration - Some experts recommend that the administrator reset the account lockout so they are aware of possible break in attempts on the network. However this will cause a great deal of additional help desk calls. Therefore depending on your security needs, the account lockout should be between 30 minutes and 2 hours. If your security needs are high, you may want to require a manual reset of the account.
  12. Password protected screen savers should be enabled and should protect the computer within 5 minutes of user inactivity. Computers should not be unattended with the user logged on and no password protected screen saver active. Users should be in the habit of not leaving their computers unlocked. they can press the CTRL-ALT-DEL keys and select "Lock Computer".
  13. Rules that apply to passwords apply to passphrases which are used for public/private key authentication.

8.0 Choosing Passwords

Use password choosing tips as shown at http://www.comptechdoc.org/docs/ctdp/howtopass/ and be sure your passwords meet the minimum guidelines.

9.0 Passwords and Applications

Applications should provide user role and acount security with the following features:

  • Authenticate individual users rather than groups.
  • Not store passwords in any reversible format.
  • Provide for management of application access and functions using user role management so users can be put into roles that allow them to perform required functions without knowing other user's passwords.
  • Support for using network authentication for authentication should be used where possible. For example, using Active Directory as a single authentication source is a more efficient resource when security requirements permit.

10.0 Enforcement

Since password security is critical to the security of the organization and everyone, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

11.0 Other Considerations

Administrator passwords must be protected very carefully. Administrator accounts should have the minimum access to perform their function. Administrator accounts must not be shared.

The organization should work toward stronger authentication techniques as technologies and costs permit it including solutions such as pass phrases, multi-factor authentication, stronger and more secure hashing and encryption techniques, biometrics, and public key cryptography.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________