Password Policy

Op12.07-16 Password Policy

Policy statement

Passwords are an important aspect of information security. A poorly chosen password may facilitate unauthorized access and/or exploitation of Missouri State University's resources. All users, including contractors and vendors with access to Missouri State University systems, are responsible for taking the appropriate steps where feasible, as outlined below, to select and secure their passwords.

All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) should be changed on at least a quarterly basis.

All user-level passwords (e.g., email, web, desktop computer, etc.) should be changed at least every six months.

User accounts that have system-level privileges granted through group memberships or programs such as "sudo" should have a unique password from all other accounts held by that user.

Where SNMP is used, the community strings should be defined as something other than the standard defaults of "public," "private" and "system" and should be different from the passwords used to log in interactively. A keyed hash should be used where available (e.g., SNMPv2).

Where feasible, user-level and system-level passwords should conform to the guidelines described below.

General password construction guidelines

All users at Missouri State University should be aware of how to select strong passwords.

Strong passwords have the following characteristics:

  • Contain at least three of the five following character classes:
    • Lower case characters
    • Upper case characters
    • Numbers
    • Punctuation
    • “Special” characters (e.g., #$&*_+|~-=`{}[]:";'/<> etc.)
  • Contain at least fifteen alphanumeric characters.

Password protection standards

Use different passwords for Missouri State University accounts and other non-Missouri State University access (e.g., personal ISP account, option trading, benefits, etc.).

Use different passwords for various Missouri State University access needs whenever possible. For example, select one password for systems that use directory services (i.e. LDAP, Active Directory, etc.) for authentication and another for locally authenticated access.

Do not share Missouri State University passwords. All passwords are to be treated as restricted Missouri State University information and used only by the individual account holder.

Passwords should never be written down or stored online without encryption.

Do not reveal a password in email, chat, or other electronic communication.

Do not speak about a password in front of others.

Do not hint at the format of a password (e.g., "my family name").

Do not reveal a password on questionnaires or security forms.

If someone demands a password, refer them to this policy and notify the Information Security Officer.

If an account or password compromise is suspected, report the incident to the Information Security Officer.

Application development standards

Application developers should ensure their programs contain the following security precautions.

Applications:

  • Should support authentication of individual users, not groups.
  • Should not store passwords in clear text or in any easily reversible form.
  • Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
  • Should support TACACS+, RADIUS and/or X.509 with LDAP security retrieval wherever possible.

Use of passwords and passphrases for remote access users

Access to the Missouri State University networks via remote access should be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

Passphrases

Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.

Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks."

A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters.

All of the rules above that apply to passwords also apply to passphrases.

Enforcement

The Information Security Officer or delegate may perform password cracking or guessing on a periodic or random basis. If a password is guessed or cracked during these exercises, the user/owner will be required to change it.