Roehampton University Network Account Password ... - StudentZone

I.T. and Media ServicesRoehampton University Network Account Password PolicyTable of Contents1. Purpose2. Scope3. Responsibilities4. Passwordsa. Protecting passwordsb. Password renewal/expirationc. Password historyd. Account lockoute. What if password is compromised5. Password construction and protection guidelinesPurposeThe purpose of this document is to establish a standard for strong user accountsvia the creation and maintenance of strong passwords, and to define theownerships and responsibilities for protecting these accounts from misuse byothers. It forms part of the University Data Protection Policy which is reproducedas Chapter Five of the University’s Data Protection Handbook.This procedure and criteria reflect in large measure the capabilities of Microsoft®Windows network accounts as university systems will be increasingly modified toutilise them for authentication rather than maintaining separate accounts andpasswords for each system.ScopeThis procedure applies to every person who has or is responsible for an account ona Roehampton University system or network at any time or location, and appliesto all students and staff, including part-time and visiting lecturers, continuingand distance education students and other university affiliates. This includes:all system- or supervisor- level accounts (e.g., system or applicationadministration accounts, etc used by administrators in I.T., system 'superusers' throughout the University or external partners or vendors supporting oursystems).all accounts on systems which cannot be integrated to utilise network accountsto validate access. For these systems, it is the responsibility of the systemadministrator or 'super user' (as applicable) to ensure that, as far aspracticable, this procedure is complied with.Page 1 of 7© Roehampton University - 2009

I.T. and Media ServicesRoehampton University Network Account Password PolicyResponsibilitiesIt is the responsibility of every person who has, or is responsible for one or moreaccounts on a Roehampton University system or network to make every effort toprotect them from misuse.Unless I.T. Helpdesk has been alerted that an account has been compromised, the‘owner’ or person responsible for the account will be considered responsible for allnetwork and system activity performed under the privileges of the account.Account ‘owners’ are responsible for ensuring passwords are changed before theyexpire. Account owners will be warned of password expiration 14 days in advance4. Password ProceduresThe following procedures will help ensure that University data is protected by theeffective use of passwords.All University computers and portable devices that contain or provide access toUniversity data should be secured with passwords whenever possible. Thisincludes PDA’s and Blackberry’s and also University laptops. More generally, staffand students should lock their computers if they are not in active use and shouldlog off completely them if they are going to be away from their computers for anysubstantial time.a. Keeping passwords secretPasswords and pass phrases should be treated with as much care as theinformation that they protect (which may include personal data).They should not be revealed to anyone, not even I.T. staff. Members of I.T.should never ask for anyone's password. If they require access to anaccount, they will ask permission from the 'owner' to reset the password,and once finished, inform him/her of the password and set the account toforce a password change when the 'owner' next logs in. This ensures thatat any time only the 'owner' or I.T. (never both) are aware of the currentpassword and are able to access the account.Recording of passwords should be avoided. If this cannot be avoided, careshould be taken with respect to where the recorded or written downpasswords are stored. These records of these passwords should not be leftanywhere where the information that they protect could not be securelystored. Care should be taken to delete the records as soon as is possible.Page 2 of 7© Roehampton University - 2009

I.T. and Media ServicesRoehampton University Network Account Password PolicyDo not provide your password over email or based on an email request.Any seemingly internal or external e-mail that request your password orrequests that you to go to a Web site to verify your password is almostcertainly a fraud and should be reported to the I.T. Helpdesk. To repeat,I.T. should never ask for your password.Change your passwords regularly. Password changes for universitynetwork accounts are forced in accordance with this procedure, howeveryou can change them more frequently if you wish. Guidelines on how to dothis are available on the Student Zone I.T. web pages.If a line manager needs to login as one of their members of staff, I.T. willrequire Pro Vice Chancellor - level authorisation before the password forthe account can be re-set and the details supplied.There will be a few scenarios where accounts and passwords may need to bejustifiably shared, e.g. test or training accounts on non-production environmentsto facilitate system development, testing or training. In such situations, it is theresponsibility of the administrators or ‘super users’ of such systems to mitigatedeviations from this policy in a responsible and sensible manner.b. Password renewal/expirationPasswords will, wherever possible, be set to expire after 90 days and systems willbegin warning users of the pending expiration commencing 7 days in advance.c. Password historyTwenty password changes are required before a previously used password can bere-used.d. Account lockoutAccount lockout threshold: 5 unsuccessful log-on attempts. Thereafter theaccount will lock-out preventing further attempts to logon. The password will beunlocked automatically by the system after 30 minutes, or earlier by request tothe IT Helpdesk who will require verification of the identity of the requestor.e. What if password is compromisedIf you suspect your network account has been compromised, you should changethe password immediately and inform the I.T. Help Desk of the incident andcircumstances.Page 3 of 7© Roehampton University - 2009

I.T. and Media ServicesRoehampton University Network Account Password Policyf. Triggers for passwordsWhere feasible and practical, ITMS will ensure all University machines areprotected in one of the following ways:ooon staff machines, after 15 minutes of inactivity, a password-protectedscreen saver will be activated.on open access machines, after 10 minutes of inactivity a passwordprotectedscreen saver will be activated and then, after a further 20minutes of inactivity, the user will be automatically logged off thecomputer.5. Password construction and protection guidelinesRoehampton University will enforce the following password construction policy fornetwork accounts:• Passwords must contain characters from three of the following fourcategories, and the system will not allow you to create a password whichdoes not meet or exceed these criteria:o Upper Case Letters: A through Zo Lower Case Letters: a through zo Numerals: 0 through 9o All non-alphanumeric characters, such as: ! @ # % $ "space"• Minimum password length: 8 characters. Maximum length isapprox. 127 characters, allowing passphrases (see guidelines below forexamples) to be used.Password construction guidelines 1A strong password should appear to be a random string of characters to anyoneother than the 'owner'. The following criteria may assist in developing strong,memorable passwords.Make it lengthy. Each character that added to a password increases theprotection that it provides many times over. This policy requires passwords to be8 or more characters in length; 15 characters or longer is ideal. To ease the1 Guidelines drawn from 'Strong passwords: How to create and use them' -Microsoft: http://www.microsoft.com/protect/yourself/password/create.mspxPage 4 of 7© Roehampton University - 2009

I.T. and Media ServicesRoehampton University Network Account Password Policyburden of re-entering account details, I.T. will increasingly facilitate automaticaccess (single sign on) to systems (except for specifically identified sensitivesystems such as HR, Finance etc), based on the account initially used to logon onto your machine or the staff or student portals (MyZone).University network accounts allow the use of the space bar in passwords, so theycan comprise a phrase made of many words (a "pass phrase"). A pass phrase isoften easier to remember than a simple password, as well as longer and harder toguess.Combine letters, numbers, and symbols. The greater variety of characters inthe password, the harder it is to guess. Other important parameters to considerinclude:• The fewer types of characters in the password, the longer it must be aseach character increases protection many times over. A 15-characterpassword composed only of random letters and numbers is about 33,000times stronger than an 8-character password composed of charactersfrom the entire keyboard. If, due to system limitations a password thatcontains symbols cannot be created, it needs to be considerably longerto get the same degree of protection. An ideal password combines bothlength and different types of symbols.• Use the entire keyboard, not just the most common characters. Symbolstyped by holding down the "Shift" key and typing a number are verycommon in passwords. Passwords will be much stronger if you choosefrom all the symbols on the keyboard, including punctuation marks noton the upper row of the keyboard, and any symbols unique to yourlanguage.Use words and phrases that are easy for you to remember, but difficult for othersto guess.Create a strong, memorable password in 3 stepsUse these steps to develop a strong password:1. Think of a sentence that you can remember. This will be the basis of yourstrong password or pass phrase. Use a line in a poem or a memorablesentence, such as "My son Aiden is three years old."NOTE: Systems NOT integrated to use university network accounts foraccess may not support the use of lengthy passwords or the space bar,convert it to a password. For these, take the first letter of each word ofthe sentence that you've created to create a new, nonsensical word.Using the example above, you'd get: "msaityo".Page 5 of 7© Roehampton University - 2009

I.T. and Media ServicesRoehampton University Network Account Password Policy2. Add complexity by mixing uppercase and lowercase letters, numbers andspecial characters to meet or exceed the complexity requirements. It isvaluable to use some letter swapping or misspellings as well. Forinstance, in the pass phrase above, consider misspelling Aiden's name,or substituting the word "three" for the number 3. There are manypossible substitutions, and the longer the sentence, the more complexyour password can be. Your pass phrase might become "My SoN Ayd3Nis 3 yeeRs old." If the computer or online system will not support a passphrase, use the same technique on the shorter password. This mightyield a password like "MsAy3yo".3. Finally, substitute some special characters. You can use symbols that looklike letters, combine words (remove spaces) and other ways to make thepassword more complex. Using these tricks, we create a pass phrase of"MySoN 8N i$ 3 yeeR$ old" or for systems that do not integrate withnetwork accounts, a password (using the first letter of each word andadding appropriate extra character(s) to meet the minimum characterlength) "M$8ni3y0".Password strategies to avoidSome common methods used to create passwords can be weak and easy to breakby determined individuals. To avoid weak, easy-to-guess passwords: Avoid sequences or repeated characters. "12345678," "22222222,""abcdefgh," or adjacent letters on your keyboard do not help make securepasswords. Avoid using only look-alike substitutions of numbers or symbols. Criminalsand other malicious users who know enough to try and crack your passwordwill not be fooled by common look-alike replacements, such as to replace an'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But thesesubstitutions can be effective when combined with other measures, such aslength, misspellings, or variations in case, to improve the strength of yourpassword. Avoid your login name, any part of your name, birthday, social securitynumber, or similar information for your loved ones constitutes a badpassword choice. This is one of the first things criminals will try. Avoid dictionary words in any language. Criminals use sophisticated toolsthat can rapidly guess passwords that are based on words in multipledictionaries, including words spelled backwards, common misspellings, andsubstitutions. This includes all sorts of profanity etc.Page 6 of 7© Roehampton University - 2009

I.T. and Media ServicesRoehampton University Network Account Password PolicyDo not use the same password for non-Roehampton accounts (onlinebanking, Facebook etc). If any one of the systems using this password iscompromised, all of your other information protected by that passwordshould be considered compromised as well.Avoid using online/electronic storage of passwords. If malicious users findthese passwords stored online or on a networked computer, they haveaccess to all your information.6. EnforcementAny employee found to have violated this policy will be subject to disciplinaryaction in line with HR policies.Any student found to have violated this policy may be subject to disciplinaryaction in line with the Student Code of Conduct.7. OtherAll systems unable to be integrated to utilise network accounts will comply asclosely as possible with these ‘rules’.Page 7 of 7© Roehampton University - 2009