Your Location: Park.edu Home > Information Security > Policies and Procedures > Password Policy
Information Technology Policies and Procedures
Passwords are essential to computer Security. They are the front line of protection for Authorized User accounts. A poorly chosen password can result in the compromise of the entire University Information Technology Network. All Authorized Users are responsible for taking the actions outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation and protection of strong passwords for Authorized Users of information technology resources on the University Information Technology Network. This policy will also establish the frequency of change for those passwords.
The scope of this policy includes all Authorized Users who are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any University facility, accesses the University Information Technology Network, or stores any non-public University information.
General Password Construction Guidelines
Passwords are used for various purposes at the University. Some of the more common uses include: user-level accounts, web accounts, Email accounts, screen saver protection, voice mail passwords, and local Router logins. Very few systems have support for one-time Tokens (i.e. dynamic passwords which are only used once), thus everyone must be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
Strong passwords have the following characteristics:
Passwords must never be written down or stored on-line. Passwords should be created so that they can be easily remembered while still having strong password characteristics. One way to do this is to create a password derived from a song title, affirmation, or other phrase. For example, the phrase might be "This May Be One Way To Remember" and the corresponding password might be "TmB1w2R!", or "Tmb1W>r~", or some other variation.
NOTE: These particular examples are now public, and must not be used as real passwords!
Password Protection Standards
Authorized Users must not use the same password for University accounts as for other non-University access (e.g. personal ISP account, option trading, benefits, etc.). Wherever possible, the same password must not be used for various University access needs. For example, the password for the CARS systems must be separate from the password for other Information Technology systems. Also, a separate password must be selected for a Windows account and a UNIX account.
University passwords must not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as confidential University information. Groups accounts (an account shared among two or more users) are prohibited.
Users must not do the following:
If someone demands a password, they should be referred to this document or they should call Information Security personnel.
Again, passwords must not be written down and stored anywhere by the Authorized User. Passwords must not be stored in a file on ANY computer system (including Palm Pilots or similar devices) without Encryption.
If an account or password is suspected to be compromised, the incident must be reported to Information Security personnel and the password must be changed immediately.
Password Cracking or guessing may be performed on a periodic or random basis by Information Security personnel. If a password is guessed or cracked during one of these scans, the user will be required to change it.
Application Development Standards
Application developers must ensure their Programs contain the following Security precautions:
Use of Passwords and Pass-phrases for Remote Access Users
Remote Access to the University Information Technology Network must be controlled using either one-time password authentication or a public / private key system with a strong Pass-phrase.
Pass-phrases are generally used for public / private key authentication. A public / private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the Authorized User. Without the Pass-phrase to "unlock" the private key, the Authorized User cannot gain access.
Pass-phrases are not the same as passwords. A Pass-phrase is a longer version of a password and is, therefore, considered more secure. A Pass-phrase is typically composed of multiple words. Because of this, a Pass-phrase is more secure against "dictionary attacks."
A good Pass-phrase is relatively long and contains a combination of upper- and lower-case letters, numerals, and punctuation characters. The following is an example of a good Pass-phrase:
"R34d car3fu!!y. B3 h0n3$t."
All of the rules above that apply to passwords, also apply to Pass-phrases.
Any Authorized User found to be in violation of this policy will be considered an Unauthorized User, and as such are subject to disciplinary action pursuant with the Enforcement section of the Unauthorized Use Policy.Back to Contents