IT Security Standard: Cal Poly Passwords

Brief Description:

Minimum password requirements to protect university information resources

Introduction:

This standard establishes minimum password requirements to protect university information resources.

Passwords are used on university devices and systems to facilitate authentication, i.e., helping ensure that the person is who they say they are. The security of university data is highly dependent upon the secrecy and characteristics of the password. Compromised passwords can result in loss of data, denial of service for other users, or attacks directed at other Internet users from a compromised machine. Compromised passwords can also result in the inappropriate disclosure of confidential data.

To protect against these risks, Cal Poly has adopted this password standard.

Scope:

This standard applies to all university information resources that use passwords to authenticate users. All passwords used to access Cal Poly systems must adhere to this standard unless technically infeasible. This standard covers departmental resources as well as resources managed centrally.   The term password is applied broadly and includes passphrases, digital keys, and other forms of credentials used to authenticate access to Cal Poly systems.

Information Technology Services provides enterprise authentication services that are in compliance with the password standard and used by most Cal Poly enterprise applications.  All systems and processes subject to this standard are encouraged to integrate with Cal Poly authentication services, or they must implement the password standards locally.

System administrators may choose to implement these standards with a combination of technological controls and local practice. Standards and practices adopted by a college or administrative unit must be consistent in principle with this standard but may provide additional detail, guidelines or restrictions.

Standard:

Required:

For systems not able to integrate with Cal Poly enterprise authentication services:

  • A strong password must be used for all devices supporting authentication and password authenticated services connected to the campus network.
  • To be considered strong, passwords must conform to the rules established for the Cal Poly Password regarding complexity, length, and composition as described below.
  • If this is not technically feasible, the strongest possible password rules must be implemented.
  • Strong passwords must be changed at least once annually (every 365 days). More frequent changes may be required for resources that do not support strong passwords (i.e., does not conform to the Cal Poly Password rules).
  • Well known or publicly posted identification information must not be used as a password.
  • Input of all passwords must be masked.
  • Passwords must be encrypted during storage and transmission over networks
  • Passwords must not be stored in clear text or a readily decrypted form.
  • Passwords must be stored in a non-reversible format.
  • Embedding or hard-coding passwords into any system must be avoided whenever possible.
  • University approved electronic password safes may be used to store additional passwords as long as an appropriate strong password is utilized for the safe.
  • Devices must not be configured allowing logins without a password. Exceptions may be granted for specialized devices such as kiosks which have extremely restricted accounts.
  • Passwords must be changed whenever a system or account is suspected of being compromised, and the incident must be reported to abuse@calpoly.edu.
  • All default passwords for access to network-accessible devices, applications and services must be modified at installation to one that complies with this standard.
  • Any pre-assigned passwords must be changed immediately upon initial access to the account.
  • Unless other mitigating controls exist, separate passwords must be used for privileged and unprivileged access by the same user on the same device. Mitigating controls may include security controls built into the operating system or authentication services, for example.
  • Use of privileged access passwords must be limited to system administration activities only.
  • Account and password management functions must be restricted to authorized staff.
  • After four (4) incorrect password tries within 33 minutes, access must be denied automatically.  The access must be denied for 33 minutes or until the account is manually reset by authorized staff.
  • Password change procedures must authenticate the user prior to changing the password. Acceptable forms of authentication include answering a series of specific questions whose answers would not be known except by the user and trusted staff, showing one or more forms of photo ID, etc.
  • After a password reset by authorized staff, a password change is required within three (3) days.
  • Computer labs should be designed to authenticate each user individually for accountability purposes. If this is not feasible, then other appropriate mitigating controls must be in place to minimize any potential risks. These controls must be documented.
  • For shared or service accounts, where the password is managed within a specified work group, the password must be changed annually or when a member leaves the group. An individual employee must be designated to maintain the password and ensure that only authorized persons have access to the password.

For individuals creating passwords for use on university systems:

  • Passwords created for university systems must not be duplicated in non-university systems.
  • All passwords are classified as confidential information.
  • Passwords must not be transferred or shared with others unless authorized to do so.
  • Passwords must be changed if they have been used, obtained or suspected to be obtained by anyone other than the account owner.
  • Individual user passwords must be memorized. They must not be written down, inserted into email messages or other forms of electronic communications or stored in a file or computer system unless adequately secured.
  • If a user suspects their password has been compromised, it should be changed immediately and the incident reported to abuse@calpoly.edu

In addition to the above, the following requirements apply to administrator or system-level accounts, especially on multi-user or high-risk devices, except where technically and/or administratively infeasible:

  • Administrative passwords must be changed whenever there is a change in administrator.
  • Administrative passwords must be on file with the employee’s supervisor or readily accessible by the supervisor in the event of an emergency or the administrator is not available.
  • Administrative passwords must be unique from other passwords used by the individual.
  • Use of administrative passwords must be limited to system administration activities only.
  • Administrative passwords must be disabled or returned to the appropriate department or entity on demand, upon termination of the relationship with the university, or when an employee no longer requires administrator access as part of their job duties and responsibilities.
  • Administrative passwords may be stored in a secured electronic location with limited access.
  • Administrative passwords should be changed as frequently as is warranted based on risk.

Cal Poly Password Rules/Requirements

Password Length

  • Minimum of 8 characters
  • Maximum length of 40 characters


Composition:

Passwords must contain at least one character from three of the following lists:

  1. Uppercase Alphabetic (A-Z)
  2.  Numbers (0-9)
  3.  Lower case Alphabetic (a-z)
  4.  These Special Characters are allowed:

           ! $ % & , ( ) * + - . / ; : < = > ? [ \ ] ^ _ { | } ~ # " @ and the 'space' character

Passwords must not contain any of the following:

  1. Your previous passwords used within the last two (2) years
  2. Passwords less than 16 characters must not contain any of the following:
    1. Any words of three or more characters, including non-English words
    2. Any groups of three or more characters of the same character type
    3. Any names, person, places, or things found in a common dictionary
    4.  Any of your names (first, middle, last), any current Cal Poly username
    5. Repetitive characters (sequences)

Definitions:

Password – A sequence of alphanumeric and special characters entered in order to gain access to a computer system or resource

Strong Password – A password that is reasonably difficult to guess in a short period of time either through human guessing or the use of specialized software.

Shared or Service Account – An account established to support an approved university operation or function that requires access by multiple individuals to perform and maintain its intended purpose. Examples: departmental email and web accounts.

Administrative Officials – Managers with responsibility for the university organizational entity deploying the information technology asset (system, resource, applications, etc.) 

Authorized Staff – The Cal Poly employee(s) responsible for administering an information technology resource that is being used for university business, including instruction, i.e., the person responsible for determining the account and password management functions

Responsibilities: 

Administrative Officials – Ensure that Cal Poly applications, systems and information technology resources under their control are supported by an application manager, system administrator or someone functioning in that role. This person(s) is required to have the ability to understand and comply with the password standard.

System Administrators – Configure Cal Poly systems for compliance with the password standard. System administrators or equivalent security personnel shall work with individuals in an effort to ensure that they are able to comply with the standard.

Application Developers/Managers – Create code that complies with this standard when creating or managing applications that utilize passwords.

Individual Users – Faculty, staff, students, affiliates, and service providers are responsible for creating and maintaining passwords on university systems that comply with this standard

Information Technology Services – Responsible for establishing, maintaining and modifying enterprise authentication services and Cal Poly Password requirements and related procedures

The Vice Provost/Chief Information Officer and Information Security Officer – Responsible for developing and reviewing information security policies and standards and serve as the final arbitrators in policy exception review

Non-Compliance and Exceptions:

Systems may be scanned or physically examined for compliance with this standard at any time. Systems found in non-compliance with this standard may be removed from the network until they do comply.

If it is technically infeasible for an information resource to meet this standard, departments must submit a request for exception to the Vice Provost/CIO and Information Security Officer for review and approval.

Implementation

Effective Date: 9/30/2010
Review Frequency: Annual
Responsible Officer: Vice Provost/Chief Information Officer

Revision History

Date Action Pages
6/13/2013 Updated list of permitted special characters All
9/30/2010 Release of initial document All

 

Related Content

Best Practices

10 Best Pactices

Our 10 Best Pactices

Contact Us

Contact Information Security at 756-7000

Contacts

Did you know?

Stay Safe Online Tips