General Password Construction Guidelines

Passwords are used for various purposes at the University. Some of the more common uses include: user-level accounts, web accounts, Email accounts, screen saver protection, voice mail passwords, and local Router logins. Very few systems have support for one-time Tokens (i.e. dynamic passwords which are only used once), thus everyone must be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:

1. The password contains less than eight characters
2. The password is a word found in a dictionary (English or foreign)
3. The password is a common usage word, such as:
1. Names of family members, pets, friends, co-workers, fictional characters, etc.
2. Computer terms and names, commands, sites, companies, Hardware and Software terms
3. The words "Park University", "sanjose", "sanfran" or any derivation
4. Birthdays and other personal information, such as addresses and phone numbers
5. Word or number patterns like aaabbb, qwerty, xyzzy, 123321, etc.
6. Any of the above spelled backwards
7. Any of the above preceded or followed by a digit (e.g. secret1, 1secret)

Strong passwords have the following characteristics:

1. The password contains both upper and lower case characters (e.g. a-z, A-Z)
2. The password has digits and punctuation characters as well as letters, if possible (e.g. 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
3. The password is at least eight alpha-numeric characters long
4. The password is not a word in any language, slang, dialect, jargon, etc.
5. The password is not based on personal information, names of family, etc.

Passwords must never be written down or stored on-line. Passwords should be created so that they can be easily remembered while still having strong password characteristics. One way to do this is to create a password derived from a song title, affirmation, or other phrase. For example, the phrase might be "This May Be One Way To Remember" and the corresponding password might be "TmB1w2R!", or "Tmb1W>r~", or some other variation.

NOTE: These particular examples are now public, and must not be used as real passwords!

Password Protection Standards

Authorized Users must not use the same password for University accounts as for other non-University access (e.g. personal ISP account, option trading, benefits, etc.). Wherever possible, the same password must not be used for various University access needs. For example, the password for the CARS systems must be separate from the password for other Information Technology systems. Also, a separate password must be selected for a Windows account and a UNIX account.

University passwords must not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as confidential University information. Groups accounts (an account shared among two or more users) are prohibited.

Users must not do the following:

1. Passwords must not be revealed or hinted at over the phone to anyone without proper verification, in an Email message which includes the user name, to any supervisors or co-workers, on questionnaires or Security forms, or to family members.
2. The "Remember Password" feature of applications (e.g. Eudora, Outlook, or Netscape Messenger) must not be used.

If someone demands a password, they should be referred to this document or they should call Information Security personnel.

Again, passwords must not be written down and stored anywhere by the Authorized User. Passwords must not be stored in a file on ANY computer system (including Palm Pilots or similar devices) without Encryption.

If an account or password is suspected to be compromised, the incident must be reported to Information Security personnel and the password must be changed immediately.

Password Cracking or guessing may be performed on a periodic or random basis by Information Security personnel. If a password is guessed or cracked during one of these scans, the user will be required to change it.

Application Development Standards

Application developers must ensure their Programs contain the following Security precautions:

1. Applications must support User Authentication of individual Authorized Users, not groups.
2. Applications must not store passwords in clear text or in any easily reversible form.
3. Applications must provide for some sort of role management, so that one Authorized User can take over the functions of another without having to know the other's password.
4. Applications should support advanced User Authentication systems (e.g. RADIUS), wherever possible.

Use of Passwords and Pass-phrases for Remote Access Users

Remote Access to the University Information Technology Network must be controlled using either one-time password authentication or a public / private key system with a strong Pass-phrase.

Pass-phrases

Pass-phrases are generally used for public / private key authentication. A public / private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the Authorized User. Without the Pass-phrase to "unlock" the private key, the Authorized User cannot gain access.

Pass-phrases are not the same as passwords. A Pass-phrase is a longer version of a password and is, therefore, considered more secure. A Pass-phrase is typically composed of multiple words. Because of this, a Pass-phrase is more secure against "dictionary attacks."

A good Pass-phrase is relatively long and contains a combination of upper- and lower-case letters, numerals, and punctuation characters. The following is an example of a good Pass-phrase:

"R34d car3fu!!y. B3 h0n3$t."

All of the rules above that apply to passwords, also apply to Pass-phrases.