III-2a University Password Policy

Overview

Version 1.00
Last Revision Date: March 16, 2012
Approval Date: October 16, 2008
Approval Authority:  Case Chief Information Officer

Case Western Reserve University relies significantly upon the use of university-provided credentials (Case "Network ID" and password) to provide authentication for access to online IT resources.   In particular, passwords constitute the first line of a layered defense program as the 'keys' users have to gain access to university information and information systems.  The risk of compromise of these authentication credentials used by the university community leads to an increased impact on the confidentialiy, integrity, and availability of IT systems and information.  All users are bound by the Acceptable Use of IT and Computing Resources Policy (AUP) to take appropriate measures, as described in this policy, to create and secure thier passwords.

Purpose

The purpose of this policy is to establish minimum standards for protection, complexity (strength), protection, and refresh interval for university passwords.  The applicaton of individual accountability and the principle of least privilege are applied in this policy.

Scope

This policy applies to all university users who have or are responsible for user and system accounts in Case IT systems that store or process Internal Use or Resricted information.

This policy applies to all IT systems managed and operated by the Case faculty, students,  staff, term staff under contract employment, and affilates.  This policy may apply to certain non-ITS systems accounts that provide access to sensitive University information and information systems where the exposure to impact would have significant negative impact on University operations.

This policy does not apply to password-protected files, encryption key passphrases, or local accounts that do not interface with Case authentication systems.

Cancellation

Not applicable.

Policy Statement

Individual Accountability

All users of Case IT systems are individually assigned a Credentials (Case Network ID and password) for the purpose of identification for access to online systems.  In accordance with the Case Acceptable Use Policy, users are individually accountable for activities performed with their credentials.

Password Security

All production system level passwords for Internal Use or Resricted data must be part of the University's centrally administered account management system (e.g. integrated into LDAP or Case Active Directory).  Passwords for Case systems should not be identical to those used for personal online accounts.

Password Strength Requirements

User and system level passwords shall be constructed in a manner that minimizes the likelihood of password guessing or brute force attacks.

Passwords with strength and complexity have the following characteristics:

• Are at least eight alphanumeric characters long; is a passphrase. Suggested length is 12-15 characters. A passphrase example is "Ohmy1stubbedmyt0e".
• Consist of at least three of these four categories
• lowercase letters
• uppercase letters
• numbers (0-9)
• punctuation special characters (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, or resemble your network ID, or other information that could be guessed, etc.
• Are easy to for you alone to remember.  To create passwords that can be easily remembered, use the basis of something you know well, such as a song title, affirmation, or other phrase.  For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

Password Refresh (Age)

Passwords shall be refreshed periodically to reduce the impact of disclosure due to undected theft of passwords or the sharing of passwords.

• All user-level passwords (e.g., email, web, desktop computer, etc.) for users with access to Tier II information systems must be changed such that the maximum password age will be 365 days (annual changes).  The recommended change interval is every semester.
• All user-level passwords (e.g., email, web, desktop computer, etc.) for users with access to Tier III information systems must be changed such that the maximum password age will be 180 days.  The recommended change interval is quarterly.

The maximum password age for system level passwords (e.g. root, domain administrator, application administrative accounts, local admin accounts, etc. ) is 365 days.  This applies to all information Tiers (Tier I, II, and III).

For systems that support password history management, the minimum standard is for 5 generations of password changes in the password change cycle.

Passwords may be changed on a more frequent basis depending upon departmental practices and risk to the information managed, processed, or stored.  The recommended minimum password age is 1 day.

Upon turnover of staff (change of personnel, rotation of job duties, etc.), system level passwords that are affected by such turnover will be changed within 30 days of the staff turnover.  If extenuating circumstances exist, a risk-based decision will be coordinated between the appropriate Department Manager/Business Officer and the Chief Information Security Officer.

If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the user shall immediately take steps to change and protect the password.

Technical measures may be implemented to ensure compliance with password lifetimes.

If a policy conflict occurs between various Case departments, the smaller value of the maximum password age shall apply.

General Password Protections for Network Logins

User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.

Authentication mechanisms shall use encryption (e.g. SSL or TLS) to protect the login session.

Passwords must not be inserted into email messages or other forms of electronic communication without adequate protection (e.g. end-to-end encryption) of the credentials.

Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively.  A keyed hash must be used where available (e.g., SNMPv2).

Applications that request a user ID and password shall not display the password in the data entry field.

Operational Security Standards for Password Use

Do not use the same password for Case accounts as for other non-Case access (e.g., personal ISP account, online stock trading, benefits, etc.).  Where possible, don't use the same password for various Case access needs. The use of Case Single Sign On will reduce the number of accounts you need to track, but will make your Case account more valuable to protect.

Do not share Case passwords with anyone, including administrative assistants or secretaries.

All passwords are to be treated as sensitive, Tier III information.

Here is a list of "dont's":

• Don't reveal a password over the phone to ANYONE
• Don't reveal a password in an email message
• Don't reveal a password to your supervisor or manager
• Don't talk about a password in front of others
• Don't hint at the format of a password (e.g., "my family name")
• Don't reveal a password on questionnaires or security forms unless you are certain they site is a valid Case site.
• Don't share a password with family members: you are individually responsible for what is done with your account
• Don't reveal a password to co-workers while on vacation

If someone demands a password, refer them to this policy or refer them to the Case Information Security Office(security@case.edu).

Do not use the "Remember Password" feature of applications  (e.g., Eudora, OutLook, Netscape Messenger).

Notifications of Changes: Case IT staff will notify potentially affected end-users of IT systems approximately 10-30 days prior to the implementation of a system level password change.

Auditing: An audit cycle will be initiated within 30 days of the close of the password change cycle on selected events to identify the level of compliance and potential risk mitigation.

Definitions

Compromise- when anyone other than the assigned user knows the users's credentials.

Credentials- the combination of a Network UserID (e.g. abc123) and a password

Kerberos principal- the underlying Network authentication mechanisms in the ITS authentication infrastructure that the credentials use for authentication.

Password lifetime- the time, in days, that a password is in effect.  A minimum password lifetime of one day will mean that a user must wait until the next calendar day before it can be changed (a technical control to prevent password 'recycling'). A maximum password lifetime of 180 days is the time interval after which the password must be changed.

Policy conflict- when one policy counters another policy. In this case, if localized requirements demand changing passwords on a 30 day maximum password lifetime, this shorter time frame will take precedence over the 180 day requirement.

Responsibility

Managers and supervisors are responsible for implementation, adherence, and feedback regarding this policy.

All faculty, staff, students, and affiliates are responsible for the protection of their credentials. The standard which Case sets in this policy speaks to the educational community in general about the importance of stewardship and protection of the Tier II data.

Policy Review Cycle

This policy will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The policy may be reviewed on a more frequent basis depending on changes of risk exposure.