Password Policy
Revised: 06/30/2009
1. Overview.
Passwords are essential to computer Security. They are the front line of protection for Authorized User accounts. A poorly chosen password can result in the compromise of the entire TCCC-RYSS Information Technology Network. All Authorized Users are responsible for taking the actions outlined below, to select and secure their passwords.
2. Purpose.
The purpose of this policy is to establish a standard for creation and protection of strong passwords for Authorized Users of information technology resources on the TCCC-RYSS Information Technology Network. This policy will also establish the frequency of change for those passwords.
3. Scope.
The scope of this policy includes all Authorized Users who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any TCCC-RYSS facility, accesses the TCCC-RYSS Information Technology Network, or stores any non-public TCCC-RYSS information.
4. Policy.
General
• All system-level passwords (e.g. the "root" account on UNIX-based Operating Systems, the "enable" functionality of Routers, the Windows "administrator" account, application administration accounts, etc.) must be changed on at least a quarterly basis.
• All system-level passwords on all equipment must be part of the TCCC-RYSS Password Management System.
• All user-level passwords (e.g. Email, web, desktop computer, etc.) must be changed at least every sixty days.
• Authorized User accounts that have system-level privileges granted through group memberships or Programs such as “sudo” or “SU” must have a unique password that is different from all other accounts held by that Authorized User.
• Passwords must not be included in Email messages, phone conversations, or other forms of electronic communication.
• Where Simple Network Messaging Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults ("public," "private," or "system") and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g. SNMP version 2).
• All user-level and system-level passwords must conform to the guidelines described below.
Standards
a. General Password Construction Guidelines
Passwords are used for various purposes at TCCC-RYSS. Some of the more common uses include: user-level accounts, web accounts, Email accounts, screen saver protection, voice mail passwords, and local Router logins. Very few systems have support for one-time Tokens (i.e. dynamic passwords which are only used once), thus everyone must be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
• The password contains less than eight characters
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word, such as:
• Names of family members, pets, friends, co-workers, fictional characters, etc.
• Computer terms and names, commands, sites, companies, Hardware and Software terms
• The words "TCCC-RYSS", "Panther", "Tejano Center" or any derivation
• Birthdays and other personal information, such as addresses and phone numbers
• Word or number patterns like aaabbb, qwerty, xyzzy, 123321, etc.
• Any of the above spelled backwards
• Any of the above preceded or followed by a digit (e.g. secret1, 1secret)
Strong passwords have the following characteristics:
• The password contains both upper and lower case characters (e.g. a-z, A-Z)
• The password has digits and punctuation characters as well as letters, if possible
(e.g. 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
• The password is at least eight alpha-numeric characters long
• The password is not a word in any language, slang, dialect, jargon, etc.
• The password is not based on personal information, names of family, etc.
Passwords must never be written down or stored on-line. Passwords should be created so that they can be easily remembered while still having strong password characteristics. One way to do this is to create a password derived from a song title, affirmation, or other phrase. For example, the phrase might be "This May Be One Way To Remember" and the corresponding password might be "TmB1w2R!", or "Tmb1W>r~", or some other variation.
NOTE: These particular examples are now public, and must not be used as real passwords!
b. Password Protection Standards
Authorized Users must not use the same password for TCCC-RYSS accounts as for other non-TCCC-RYSS access (e.g. personal ISP account, option trading, benefits, etc.). Wherever possible, the same password must not be used for various TCCC-RYSS access needs. For example, the password for the CARS systems must be separate from the password for other Information Technology systems. Also, a separate password must be selected for a Windows account and a UNIX account.
TCCC-RYSS passwords must not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as confidential TCCC-RYSS information. Groups accounts (an account shared among two or more users) are prohibited.
Users must not do the following:
• Passwords must not be revealed or hinted at over the phone to anyone without proper verification, in an Email message which includes the user name, to any supervisors or co-workers, on questionnaires or Security forms, or to family members.
• The "Remember Password" feature of applications (e.g. Eudora, Outlook, or Netscape Messenger) must not be used.
If someone demands a password, they should be referred to this document or they should call Information Security personnel.
Again, passwords must not be written down and stored anywhere by the Authorized User. Passwords must not be stored in a file on ANY computer system (including Palm Pilots or similar devices) without Encryption.
If an account or password is suspected to be compromised, the incident must be reported to Information Security personnel and the password must be changed immediately.
Password Cracking or guessing may be performed on a periodic or random basis by Information Security personnel. If a password is guessed or cracked during one of these scans, the user will be required to change it.
c. Application Development Standards
Application developers must ensure their Programs contain the following Security precautions:
• Applications must support User Authentication of individual Authorized Users, not groups.
• Applications must not store passwords in clear text or in any easily reversible form.
• Applications must provide for some sort of role management, so that one Authorized User can take over the functions of another without having to know the other's password.
• Applications should support advanced User Authentication systems (e.g. RADIUS), wherever possible.
d. Use of Passwords and Pass-phrases for Remote Access Users
Remote Access to the TCCC-RYSS Information Technology Network must be controlled using either one-time password authentication or a public / private key system with a strong Pass-phrase.
e. Pass-phrases
Pass-phrases are generally used for public / private key authentication. A public / private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the Authorized User. Without the Pass-phrase to "unlock" the private key, the Authorized User cannot gain access.
Pass-phrases are not the same as passwords. A Pass-phrase is a longer version of a password and is, therefore, considered more secure. A Pass-phrase is typically composed of multiple words. Because of this, a Pass-phrase is more secure against "dictionary attacks."
A good Pass-phrase is relatively long and contains a combination of upper- and lower-case letters, numerals, and punctuation characters. The following is an example of a good Pass-phrase:
"R34d car3fu!!y. B3 h0n3$t." All of the rules above that apply to passwords, also apply to Pass-phrases.
5. Enforcement.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.
