POLICY TITLE:

HMC Password Policy

POLICY STATUS:

Effective November 16, 2011

POLICY ADDRESS:

http://goo.gl/pKiHd 

POLICY PURPOSE:

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of password changes.

APPLIES TO:

All users, including contractors and vendors with access to Harvey Mudd College systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

The CIO/Vice President for Computing and Information Services is responsible for ensuring policy compliance on systems that are owned or managed by CIS. Vice Presidents and Department Chairs are responsible for ensuring policy compliance within their respective areas.

POLICY STATEMENT:

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access to network resources and local devices.

 

A poorly chosen password may result in the compromise of College systems, data, or the network.  Therefore, all who hold accounts on HMC systems are responsible for taking appropriate steps, as outlined in Appendix A, to select strong passwords and protect them.  

College faculty, staff or students making use of third party systems to conduct College business on a regular basis, such as Jenzabar CX (managed by Pomona College), DirectorsDesk, Facebook, Formstack, Slate, Gmail, Office365 etc, are advised to select strong passwords for those systems.

For HMC systems, the following apply:

  1. Passwords used by System Administrators for their personal access to a service or device should not be the same as those used for privileged access to any service or device.
  2. Passwords must be checked for compliance with this policy at least once every year. Non-privileged account passwords on server systems controlled by CIS will be configured to force a check every 365 days. If a password meets complexity requirements, it will not need to be changed.
  3. No default passwords shall remain in effect after the required initial usage.  Default passwords are those that are vendor supplied with hardware or software, or are system generated.
  4. Users should not share or allow another person to use an individual account password. Occasionally, it is necessary to have shared accounts with shared passwords (for example, shared calendar accounts). However, this practice should be avoided when possible.
  5. Passwords for HMC systems should not also be used for personal services unrelated to work (e.g. Bank accounts or personal Facebook accounts) as this increases the likelihood that the HMC system could be compromised.

COMPUTING AND INFORMATION SERVICES RESPONSIBILITY:

  1. CIS should identify situations where higher security is required, and consult with the relevant Vice President or Department Chair to ensure that appropriate measures are in place.
  2. In addition to annual reminders about this policy, CIS is responsible for providing educational materials regarding security and password management.
  3. CIS should conduct annual audits of servers under its management to verify that password controls are effective.
  4. Passwords should only be used over secure protocols Unencrypted protocols (such as telnet, FTP, or HTTP without SSL) should not be used in conjunction with plain-text passwords.  System administrators should avoid enabling insecure protocols.
  5. CIS should ensure that Identity and Access Management systems promote the use of strong passwords.

EXCLUSIONS OR SPECIAL CIRCUMSTANCES:

Systems or services that, for technical reasons, cannot meet the minimum complexity standards must be documented and secured as much as possible. Serious consideration should be given to whether they need to be connected to the network at all. Whenever possible they should be isolated behind firewalls and network access controls.

CONTACTS:

Responsible Office: Vice President for Computing and Information Services

Contact: Computing and Information Services  helpdesk@hmc.edu

APPROVED BY:

HMC President’s Cabinet

APPROVED ON:

November 16, 2011

EFFECTIVE ON:

November 16, 2011

REVIEW CYCLE:

Annual

 

BACKGROUND:

The format and much of the content of this policy are based on documents available in the University of Kansas Policy Library as well as the SANS Institute password policy.

RELATED DOCUMENTS:

Policies: Claremont Appropriate Use Policy  http://goo.gl/xYS7e

Other:  CIS report on Password Manager tools http://goo.gl/Oew5k 

REVIEW/CHANGE HISTORY:

07/17/2014: Joseph Vaughan; created Appendix A for password requirements and guidelines

7/17/2014: Joseph Vaughan;  made stylistic updates to all sections; separated out CIS responsibilities and placed specific password guidelines in a separate appendix.  The President’s Cabinet approved this version on 7/23/2014.

12/10/2012: Joseph Vaughan; updated to change “punctuation characters” to “special characters”

8/10/2012: Joseph Vaughan; Updated to include links to

Appropriate Use Policy and Report on Password Managers.

<mm/dd/yyyy: Approved by; Short description of action>

APPENDIX A.  Minimum Complexity Requirements and Guidelines for Creating Strong Passwords

The following are minimum requirements for strong passwords, and should be regarded as a guide to choosing strong passwords and avoiding weak ones.  

  1. All passwords should meet the following minimum password complexity standards. The password should:
  1. Contain 10 or more characters, at least one of which comes from the English alphabet.
  2. Contain one or more numeric characters (i.e., 0-9)
  3. Contain one or more special characters (e.g.: ~!@#$%^&*(){}|:”<>?,./[] )
  1. Weak passwords may have some of the following characteristics and accounts that use them are easily compromised:
  1. Passwords that exactly match words found in a dictionary or which match easy substitutions for dictionary words (e.g.,’ !’ for  ‘i’, or’ 0’ for’ o’, ‘t3st’).
  2. Passwords that exactly match phrases or subphrases in the user’s personal information
  3. Passwords that are the default password as provided by the system or service
  4. Passwords that match the network name of the user's computer
  5. Passwords that match the user’s username
  6. Any of the above spelled backwards.
  7. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
  1. Phrases or sentences make better passwords than single words.
  2. Intel’s password strength testing site may offer ideas for devising strong passwords: https://www-ssl.intel.com/content/www/us/en/forms/passwordwin.html
  3. If a system or application has the ability to do so, an account should be locked for 15 minutes after three failed login attempts.