POLICY TITLE:

HMC Password Policy

POLICY STATUS:

Effective November 16, 2011

POLICY ADDRESS:

http://goo.gl/pKiHd 

POLICY PURPOSE:

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password change.

APPLIES TO:

All users, including contractors and vendors with access to Harvey Mudd College systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

The CIO/VP for Computing and Information Services is responsible for ensuring policy compliance on systems that are owned or managed by CIS. Vice Presidents and Department Chairs are responsible for ensuring policy compliance within their respective areas.

 

POLICY STATEMENT:

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access to various network resources and local devices.

 

A poorly chosen password may result in the compromise of College systems, data, or the network.  Therefore, all HMC students, faculty, and staff are responsible for taking the appropriate steps, as outlined below, to select appropriate passwords and protect them.  Non-HMC students, contractors and vendors with access to College systems also are expected to observe these requirements.

College faculty, staff or students making use of third party systems to conduct College business on a regular basis, such as Jenzabar CX (managed by Pomona College), DirectorsDesk, Formstack, Admission Labs, Gmail, etc, are advised to select strong passwords for those systems.

For HMC systems, the following apply:

  1. Passwords used by System Administrators for their personal access to a service or device should not be the same as those used for privileged access to any service or device.
  2. Passwords must be changed at least once every year. Non-privileged account passwords on server systems controlled by CIS will be configured to reset every 365 days, starting August 2012.
  3. If a system or application has the ability to do so, an account must be locked for 15 minutes after three failed login attempts.
  4. All passwords must meet the following minimum password complexity standards. The password must:
  1. Contain 8 or more characters
  2. Contain one or more numeric characters (i.e., 0-9) and special characters (e.g.: ~!@#$%^&*(){}|:”<>?,./[] )
  1. Weak passwords may have some of the following characteristics and accounts that use them are easily compromised:
  1. Passwords that exactly match words found in a dictionary or which match easy substitutions for dictionary words (e.g.,’ !’ for  ‘i’, or’ 0’ for’ o’, ‘t3st’).
  2. Passwords that exactly match phrases or subphrases in the user’s personal information
  3. Passwords that are the default password as provided by the system or service
  4. Passwords that match the network name of the user's computer
  5. Passwords that match the user’s username
  6. Any of the above spelled backwards.
  7. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
  1. No default passwords shall remain in effect after the required initial usage.  Default passwords are those that are vendor supplied with hardware or software, or are system generated.
  2. Users should not share or allow another person to use an individual account password. Occasionally, it is necessary to have shared accounts with shared passwords (for example, shared calendar accounts). However, this practice should be avoided when possible.
  3. Passwords for HMC systems should not also be used for personal services unrelated to work (e.g.,. Bank accounts, MySpace or Facebook) as this increases the likelihood that the HMC system could be compromised.
  4. In situations where higher security is required, the relevant Vice President or Department Chair should ensure that appropriate measures are in place.
  5. In addition to annual reminders about this policy, CIS is responsible for providing educational materials and references to password management software.
  6. CIS will conduct annual audits of  servers under its management to verify that password controls are effective.
  7. Passwords should only be used over secure protocols Unencrypted protocols (such as telnet, FTP, or HTTP without SSL) should not be used in conjunction with plain-text passwords.  System administrators should avoid enabling insecure protocols.

EXCLUSIONS OR SPECIAL CIRCUMSTANCES:

Systems or services that, for technical reasons, cannot meet the minimum complexity standards must be documented and secured as much as possible. Serious consideration should be given to whether they need to be connected to the network at all.

CONTACTS:

Responsible Office: Vice President for Computing and Information Services

Contact: Computing and Information Services  helpdesk@hmc.edu 

APPROVED BY:

HMC President’s Cabinet

APPROVED ON:

November 16, 2011

EFFECTIVE ON:

November 16, 2011

REVIEW CYCLE:

Annual

 

BACKGROUND:

The format and much of the content of this policy are based on documents available in the University of Kansas Policy Library as well as the SANS Institute password policy.

RELATED DOCUMENTS:

Policies: Claremont Appropriate Use Policy  http://goo.gl/xYS7e

Other:  CIS report on Password Manager tools http://goo.gl/Oew5k 

REVIEW/CHANGE HISTORY:

8/10/2012Joseph VaughanUpdated to include links to

Appropriate Use Policy and Report on Password Managers.
12/10/2012: Joseph Vaughan; updated to change “punctuation characters” to “special characters”

<mm/dd/yyyy: Approved by; Short description of action>