PASSWORD SECURITY GUIDELINE

Transcription

1 Section: Information Security Revised: December 2004 Guideline: Description: Password Security Guidelines: are recommended processes, models, or actions to assist with implementing procedures with respect to the subject. Author: Information Security Office PASSWORD SECURITY GUIDELINE Strong passwords are required by multiple State and Federal requirements to protect University assets and data. Handbook of Operating Procedures policy and its associated standard fulfill those requirements for the University. The following pages represent industry best practices for implementing strong password security, whether at the individual workstation level or across the enterprise. This document reiterates University password requirements, and then presents guidelines, suggestions, and recommendations for implementing that policy at appropriate levels within the University. Finally, a template is presented as a removable, standalone document which can be edited to represent a department s tailored approach to local password security. Password Security Guideline Internal Use Only

2 Table of Contents 1. POLICY REQUIREMENTS CREATING EFFECTIVE PASSWORDS AVOIDING PROBLEM PASSWORDS CHANGING YOUR PASSWORD DID YOU FORGET YOUR PASSWORD? SOCIAL ENGINEERING... 4 Password Security Guideline i Internal Use Only

3 1. Policy It is the policy of The University of Texas Health Science Center at San Antonio (UTHSCSA) to protect its information resource assets and data with passwords, where appropriate. Since passwords act as the front-line of protection to University data, poorly chosen passwords or password behaviors may result in the compromise of the network and/or exposure of sensitive information. Information Security is everyone s responsibility, but management of information resources, systems, and their data within each department generally resides with departmental management. As such, each department must decide to conform to University policies and standards or to develop their own; local departmental policies may be more restrictive but not less. 2. Requirements All authorized users who have or are responsible for any account on any UTHSCSA computer system are required to create, maintain, and protect strong passwords for those system, where passwords are required. Thos users include, but are not limited to, faculty, staff, students, contractors, or guests. Within the limits of the operating system or application, those passwords must: Contain a minimum of eight (8) characters Contain at least three (3) of the following four (4) characters: o Upper case characters (A-Z). o Lower case characters (a-z). o Numerical characters (0-9) o Special characters (!@#$%^&*()_+ ~-=\`{}[]:";'<>?,./) Maintain sufficient complexity by avoiding dictionary words (English, foreign language, or technical), personally identifiable or publicly available information, jargon, or word or number patterns Have a maximum age of 60 days and a minimum age of 3 days Maintain a history of at least six (6) passwords Lock an account for at least 15 minutes after five (5) sequential invalid login attempts NOT be stored in clear text or in any easily reversible form 3. Creating Effective Passwords Here are three common sense, but very effective, rules to follow regarding your passwords: Password Security Guideline 1 Internal Use Only

4 Do not write your password down! If you do, someone else can find it and use it. Remember, anything done on a computer using your user name and password looks like it is coming from YOU. Never give your password to anyone. Follow these guidelines for constructing strong passwords: First and foremost, it must be easy for you to remember, but difficult for anyone else to guess Create a password at least eight (8) characters long and as complex as you can remember within the confines of the operating system, and that conforms to the published UTHSCSA Password Standard as described above. Take words that are easy for you to remember and embed numbers and punctuation throughout them Ca5dil4lac? ( 54 Cadillac) Use portions of names/words with numbers and punctuation separating them (Tom5Dic9Har! for Tom, Dick, and Harry) Pick a word that you can remember and move your fingers over on the keyboard (Security becomes Drvitoyu by moving one key to the right; add numbers and punctuation to improve the password) Remove the vowels from a word, but be sure to put some numbers and punctuation (information becomes 4Nf6rm=t[]n) Use a pass-phrase instead of a password. Pass-phrases are words or portions of words that make up a phrase or sentence. These may be longer than passwords but are safer and may be easier to remember. Examples of pass-phrases are: Now is the time for all good men NoIsThTiFoAlGoMe!@ takes the first two letters of each word and then ends the phrase with punctuation. Nit5tf9agm$ takes the first letter of the original phrase and adds numbers, punctuation, and mixes the case. Avoid using common pass-phrases that could be easily guessable, such as TeoTauy ( The eyes of Texas are upon you ). 4. Avoiding Problem Passwords Poorly constructed passwords are vulnerable to both social engineering attacks (people successfully guessing your password because they know something about you) or automated attacks (password cracking programs that use built-in rules and dictionaries to try to guess the password). To decrease the vulnerability of your password, use the password creation suggestions above and keep the following in mind: Don t use any word or phrase that people would associate with you from what they know about you (names, hobbies, interests, car license plates, hometown, etc.) Don t use any part of your name or your user name, or the name of anyone in your family (including pets) or close friends Password Security Guideline 2 Internal Use Only

5 Don t use any word found in any dictionary (including foreign language, medical, technical dictionaries). Password cracking programs use these for their attacks. Don t use any word or name found in current or recent popular culture (Star Trek, Harry Potter, music, NASCAR, sports, TV Shows, etc.). Password cracking programs have special dictionaries for these, including a Klingon language dictionary! Don t use any proper name Don t use names of famous people (Lincoln, Johnson, Carey) Don t use places (San Antonio, Beaumont, Virginia) Don t use things or objects (alligator, rodent, kangaroo) Don t take a dictionary word and add characters/numbers/punctuation to the beginning or end (armadillo32, oceans11, 54cadillac). Cracking programs know this trick too. Don t take a dictionary word and reverse it (rodeo oedor). This is also checked by cracking programs. Don t use strictly all letters or all numbers (FFGGHHJJ, ) Don t use any keyboard combinations (qwerty, asdfgh, cvbnm) Don t join common words together without something to break them up or change them (Moo$nS!tar instead of moonstar) Don t rely only on character substitutions that would be recognizable as hacker speak or l33t speak (pronounced leet speak ). The latest password crackers now recognize most of these substitutions. Some of the more common substitutions include numbers that look like letters (3 for e, 5 for s, 0 for o, 4 for A, etc.) 5. Changing Your Password Change your password when: Prompted to by the system. When your UTHSCSA password is about to expire, the system begins notifying you 14 days before. Change it promptly. If you have any reason to believe anyone else has obtained your password. 6. Did you forget your password? Faculty and Staff contact your Technical Support Representative or go to the Triage Help Desk Students Go to the Triage Help Desk or to the computer lab in the Briscoe Library The Triage Help Desk is in Computing Resources, Room 416.L in the Medical Building. You MUST bring your UTHSCSA identification card. NO passwords will be issued or reset over the phone. Password Security Guideline 3 Internal Use Only

6 7. Social Engineering Social engineering is the term given for convincing people to give confidential or compromising information about themselves or their organization by posing as someone in authority or as a technical representative. A common trick is for a cracker (posing as technical support) to contact the administrative staff of a busy department leader. Claiming to be working on the leader s account (always very important), the cracker will claim to need the leader s password to repair the account. No legitimate UTHSCSA employee will ever ask you to reveal your password. If anyone does ask for it, immediately contact your supervisor and the Triage Help Desk at Password Security Guideline 4 Internal Use Only

7 The following pages represent a template for creating departmental password security requirements; edit the pages following this one (where indicated in bold italic) to put in local information. For those sections regarding variation from University policy, minimum University requirements are shown; local policies may be more restrictive than University requirements, but can never be less restrictive. When editing, be sure to change any header and footer entries as well; once edited, the header and footer should appear properly. Password Security Guideline 5 Internal Use Only

8 Section: Information Security Revised: December 2004 Guideline: Description: Password Security Guidelines: are recommended processes, models, or actions to assist with implementing procedures with respect to the subject. Template Provider: Information Security Office PASSWORD SECURITY PROCEDURES for {insert departmental or organizational name here} Updated: {insert effective date here} Maintained by: Name: {insert local information} Department: {insert local information} Phone: {insert local information} {insert local information} {insert department name here} Password Procedures Confidentia

9 1. Policy It is the policy of The University of Texas Health Science Center at San Antonio (UTHSCSA) to protect its information resource assets and data with passwords, where appropriate. Since passwords act as the front-line of protection to University data, poorly chosen passwords or password behaviors may result in the compromise of the network and/or exposure of sensitive information. Information Security is everyone s responsibility, but management of information resources, systems, and their data within each department generally resides with departmental management. The following represents the password security requirements for {insert departmental information here}. 2. Password Use Rules Any password, whether it belongs to the user s UTHSCSA account or to a locally managed departmental server or system account, must be kept private and used only to the individual to whom it belongs. Administrators and system administrators in departments must put into place a routine for ensuring user accounts are not being misused and passwords are not being shared. This could involve security log checks compared to employee time records, or it could be implemented via an automated access auditing package in the server or application. 3. Password Strength Requirements Within the limits of the operating system or application, the password must meet the following requirements: Password length: {insert password length here; must be at least 8} characters Password complexity: at least {insert number of types of characters here; must be at least 3} of the following four (4) types of characters Upper case characters (A-Z). Lower case characters (a-z). Numerical characters (0-9) Special characters (!@#$%^&*()_+ ~-=\`{}[]:";'<>?,./) Passwords must maintain sufficient complexity by avoiding dictionary words (English, foreign language, or technical), personally identifiable or publicly available information, jargon, or word or number patterns Passwords must have a maximum age of {insert number of days here; must be 60 or less} days and a minimum age of {insert number of days here; must be 3 or more} days {insert department name here} Password Procedures 1 Confidentia

10 Each system must maintain a history of at least {insert number passwords remembered; must be at least 6} passwords Each system must lock an account for at least {insert lockout duration here; must be at least 15} minutes after {insert number of failed login attempts here; must be no more than 5} sequential invalid login attempts Passwords must NOT be stored in clear text or in any easily reversible form 4. Password Security Enforcement Password strength testing should be done periodically for all systems to assure that users are choosing secure passwords and following password guidelines. State and Federal requirements mandate that this function be limited to the Information Security Office for this University since knowledge of other users passwords constitutes an extremely HIGH security risk. 5. Password Generation Password generation utilities can be used if the resulting passwords are compliant with the Password Standard as described in paragraph 3 above. Steps must be taken that will prevent generated passwords from being stored in a readable or easily reversible form. Passwords created by web-based applications must be protected during generation and transmission using secure channels (i.e., SSL). {insert department name here} Password Procedures 2 Confidentia