Password Standard Version 2.0 October 2006

Transcription

1 Password Standard Version 2.0 October 2006

2 TABLE OF CONTENTS 1.1 SCOPE PRINCIPLES REVISIONS OBJECTIVE POLICY PROTECTION LENGTH SELECTIONS EXPIRATION UNIQUENESS WORK AND PERSONAL SEPARATION RECOMMENDATION ACCOUNT LOCKOUT COMPROMISED DEFAULT PASSWORDS DISPLAY AND PRINTING CRACKING ENCRYPTION RETRIEVAL INFORMATION SYSTEM INSTALLATION EXCEPTIONS APPROVED PASSWORD MANAGERS MANDATORY CONTROLS 7 5.1DISCRETIONARY CONTROLS REFERENCES DEFINITIONS 8 Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 1

3 1.1 SCOPE This policy applies to all users of and information technology (IT) resources owned, operated, or provided by the University of Tennessee at Martin (UTM) including its remote centers. Users includes but is not limited to students, faculty, staff, contractors, agents, representatives, and visitors accessing, using, or handling the University s information technology resources. Information transmitted or stored on University IT resources is the property of the University unless it is specifically identified as the property of other parties. 1.2 PRINCIPLES The University has chosen to adopt the policy principles established in the National Institute of Standards and Technology (NIST) 800 series of publications, and this policy is based on those guidelines. Specifically, this standard is based on guidelines in NIST SP Rev4, Recommended Security Controls for Federal Information Systems and Organizations. The Chancellor or equivalent at each Campus must designate an individual or functional position responsible for information security at their Campus (Position of Authority and/or Campus Authority). The Position of Authority should be at a high enough organizational level to allow him/her to speak with authority on and for the Campus. UTM must develop or adopt and adhere to a program that demonstrates compliance with policies and related standards. This standard is the responsibility of the Position of Authority. Each User of University resources is required to be familiar and comply with University policies. Acceptance of this policy is assumed if a User accesses, uses, or handles University resources. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 2

4 1.3 REVISIONS Date Action Name 07/14/2006 Revised Will Turner 10/02/2006 Implemented (1.0) 05/2015 Revised (1.1) 08/29/2016 Update formatting, content (1.2) Brian Stubblefield 12/15/2016 Content (1.3) 01/06/2017 Corrections/suggestions from sysadmins (1.4) 01/10/2017 Password managers section (1.5) 02/21/2017 Suggestions from Security Team (1.6) 07/27/2017 Content and controls (1.7) 08/09/2017 Updates to password length and complexity (1.8) 09/05/2017 Renamed to standard, changes to wording and page numbering (1.9) 10/25/2017 Suggested changes from Amy, section numbering (1.10) 10/27/2017 Suggested changes, updates to retrieval and password managers sections (1.11) 11/27/2017 Approved (2.0) Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 3

5 2.1 OBJECTIVE This policy contains requirements and recommendations for all system passwords, including servers, workstations, and network devices, for UTM. Each user and/or administrator is required to implement the system password definitions listed in this document. 3.1 STANDARD 3.2 PROTECTION Passwords must never be written down or recorded. No user should ever share or divulge their password to anyone. Each user is accountable and responsible for any action taken with that user's username and password. No university employee or administrator should ever ask a user for their password, and if such an action takes place, the user should not reveal it to anyone, no matter how plausible the reason. Any password that is known to be compromised or suspected to be compromised must be changed immediately. 3.3 LENGTH Password length is one of the main factors that determines password strength. All passwords must be a minimum of twelve (12) characters (IA-5). 3.4 SELECTIONS Easy to guess words, such as single dictionary words, university name, product or service names, the user's proper name or username, must not be used at any time. Strong passwords should include at least three of the following characteristics (IA- 5): At least one numeric character At least one special character #, $, <space>, etc.), At least one lower case character At least one upper case character. Passwords issued for temporary accounts, password resets, and locked out IDs, must also conform to this standard. Passwords issued for automated, service, system, and other accounts not requiring a regular login must conform to a stricter standard. At minimum, they should contain at least 3 unrelated random words, 3 numbers, and one special character. Single dictionary words and short words with substituted characters do not make good passwords even though they meet the complexity requirements. Examples of bad passwords include: Abbreviation! Fa$t4Ward P@ssW0rd Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 4

6 Examples of strong passwords (longer passwords are more secure): Random, unrelated words with numbers and special characters can be hard to recall: Lighter:vowel~Immigrant85* SpendGovernEveningWhose4764= Randomly generated character strings are hardest to recall: A83dXD8*X5$3tSd 3A^6yS6sT3P8QAta*r The strongest and easy to recall, is a passphrase: This is my 8th random sentence? The balanced crusader angelfish recoiled. Don t implement promises, but keep them! DO NOT use any of the previous examples as your password. 3.5 EXPIRATION All passwords generated within UTM for access to Internal Use Only or Proprietary information must be set to expire at a maximum of every 180 days. Passwords used for privileged accounts on information systems must be set to expire at a maximum of 90 days. Passwords generated within UTM for access to Confidential information must be set to expire at a maximum of every 60 days. Passwords issued for temporary accounts, password resets, and locked out IDs must all be reset to expire immediately so the user will be forced to change their passwords at their first login opportunity (IA-5). 3.6 UNIQUENESS Where technically feasible, a history of at least ten (10) passwords must be kept within the system for each password generated (IA-5). This uniqueness forces users to create a new password that is unique over a longer time period WORK AND PERSONAL SEPARATION Users should never use the same passwords between university/work and personal accounts. This creates the risk of unauthorized parties gaining access to university systems. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 5

7 3.6.2 RECOMMENDATION It is highly recommended that users implement unique passwords for each account (IA-5). It is common practice for threat actors to try compromised credentials in multiple services to gain access to additional accounts. Never reuse credentials that have been compromised. 3.7 ACCOUNT LOCKOUT An account will be locked out after thirty (30) bad password or login attempts in fifteen (15) minutes (AC-7). The account will remain locked for fifteen (15) minutes once it is locked. 3.8 COMPROMISED DEFAULT PASSWORDS If a users default credentials are compromised, the flag must be set on their account to block it being reset to the default in the portal. 3.9 DISPLAY AND PRINTING The display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them (IA-6) CRACKING Users must not attempt to "break", "hack", "crack", or otherwise determine another users' password. This applies to passwords for students, faculty, staff, friends and accounts on systems reached through the Internet ENCRYPTION For security purposes, passwords used for access to proprietary or confidential information will not be sent across the network in 'clear text' format. Passwords used for access to proprietary or confidential information must not be listed in clear text for the purpose of automating a login sequence. All passwords must be stored in an encrypted format by the OS, DBMS, or application. NOTE: All encryption methods and technology must comply with any international regulations governing this technology RETRIEVAL Computer and communication systems must be designed, tested, and controlled to prevent the retrieval of stored passwords, whether they appear in encrypted or plain text form. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 6

8 3.13 INFORMATION SYSTEM INSTALLATION Default authenticators must be changed upon information system installation, by requiring developers and/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and/or installation (IA-5) EXCEPTIONS Some systems may not be able to comply with this policy due to restrictions of password length or unsupported characters. For these systems, an exception must be noted and approved by the Security Team APPROVED PASSWORD MANAGERS The use of a password manager is allowed and encouraged for securely generating and recalling strong, unique passwords and passphrases. The following password managers have been approved for use with required authentication requirements: LastPass, 1Password (online) o Must have complex password with at least sixteen (16) characters o Must use Two-Factor Authentication (2FA) KeePass, KeePassX (local) o Must have complex password with at least sixteen (16) characters o Must require a key file that is stored separately from the database file Others not listed must be approved by the Security Team before implementation. 4.1 MANDATORY CONTROLS Mandatory security controls are University-wide controls that are required to be consistently designed, implemented, monitored, and assessed. Authenticator Management (IA-5): Enforces/Requires: o Minimum password complexity o Minimum and maximum lifetime restrictions, prohibits password reuse o Immediate changes to temporary passwords o Changing default authenticators upon information system installation o Having different authenticators on all systems to manage the risk of compromise due to individuals having accounts on multiple information systems Authenticator Feedback (IA-6): Critical information systems must obscure feedback of authentication information during the authentication process to protect the information from possible unauthorized use. Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 7

9 5.1 DISCRETIONARY CONTROLS Discretionary Controls are security controls whose scope is limited to a specific campus, institution, or other designated organizational component. Discretionary Controls are designed, implemented, monitored, and assessed within that organizational component. Discretionary controls must not conflict with or lower the standards established by Mandatory Controls. Unsuccessful Login Attempts (AC-7): Enforces a limit of consecutive invalid logon attempts by a user during a specified time period. 6.1 REFERENCES NIST SP Rev4 - Recommended Security Controls for Federal Information Systems and Organizations NIST SP B Digital Identity Guidelines - Authentication and Lifecycle Management, Appendix A Strength of Memorized Secrets IT0132 Identification and Authentication 7.1 DEFINITIONS Cracking - Refers to using various methods to reveal a password with the intent of accessing a computer, system, or service to which one is not authorized. Encryption - The process of converting information or data into a special form to prevent unauthorized access. Password - A string of characters that must be supplied by a user in order to gain access to a computer, computer system, or electronic device. Also referred to as a Memorized Secret. Password Manager - An application used to organize, encrypt, and generate passwords. Threat Actor - An entity, internal, external, or partner, that is partially or wholly responsible for an incident that impacts, or has the potential to impact, the safety or security of another entity, person, or organization. Two-Factor Authentication (2FA) - A method of confirming a user's claimed identity by requiring a combination of two different components, which includes something you know (password, PIN), something you have (smart card, token), and something you are (biometrics). Effective Date: 10/02/2006 Last Review: 11/27/2017 Next Review: 11/2018 Page 8