Security Standard 06: Passwords
Summary
The official Information Security Policy that is the parent to this standard is located in the Official IWU Policy Warehouse
The purpose of an organizational password standard is to establish a framework and set of rules for managing and securing access to digital resources within the organization. This standard aims to enhance the overall security posture by ensuring that passwords, a fundamental component of access control, meet specific criteria and are managed in a manner that mitigates security risks for all university login accounts.
In our continuous efforts to bolster password security, IWU will, when necessary, augment the length of passwords to ensure that, in the event of an unauthorized acquisition of an encrypted password, it remains resilient against quick decryption attempts.
This standard applies to all Indiana Wesleyan University (IWU) login accounts including but not limited to employees, students, contractors, third-party vendors, and systems accounts.
Outline
(A) EMPLOYEE & STUDENT PASSWORDS
-
Minimum password character length:
- Students = (12)
- Employees = (14)
-
Password special character requirement
- All passwords must contain (3) of the (4) following character types:
- (1) upper case letter
- (1) lower case letter
- (1) number
- (1) special character ( for example: ,!$%^&*()_+|~-=\`{}[]:";'<>?,/ )
- All passwords must contain (3) of the (4) following character types:
-
Important restrictions when selecting a password
- Substitution of Letters with Numbers
- Passwords employing letter-to-number substitutions may face rejection if the resulting normalized words are found within a cracking dictionary. For instance, the password 'C0ntos0Blank12' would be declined due to the presence of two compromised passwords, namely 'Contoso' and 'Blank.' Extending the password by several characters would potentially override this restriction, allowing the password to proceed, regardless of any compromised passwords.
- Avoidance of Previous Password Variations
- Users are advised against utilizing modified versions of past passwords that may have been previously employed to access their account.
- Personal Account Distinction
- Employee passwords must differ from those used for personal accounts, such as personal email or bank accounts. While strongly advised for Students this is not a requirement.
- Exclusion of Personal Information
- Passwords must not incorporate the user's first name, last name, login name, or email address.
- Prohibition of Consecutive Repeating Characters
- Passwords featuring three or more consecutive repeating characters will be rejected.
- Restrictions On Using Specific Words Within a Password
- Users are urged to abstain from incorporating any words listed in the restricted passwords knowledge base article.
- Substitution of Letters with Numbers
-
Password Expiration, Management & Protections
- How often do I need to change my password?
- Password changes will not be mandated at regular intervals unless the IWU password hygiene monitoring platform identifies the password in a public breach database. In the event of detection, the account holder will receive notification through the university email, prompting them to change their password within a specified timeframe provided in the notification.
- Secure Transmission:
- Account passwords must not be transmitted via email, text, or any other digital forms. If unique situations necessitate credential transmission, it must be encrypted using the IWU Secure encryption procedure.
- Browser Password Storage (Employees)
- Employee are prohibited from saving passwords prompted by web browsers. Existing browser-stored passwords, as of the policy's enactment, must be purged, and the option for saving passwords should be disabled.
- Documentation of Passwords (Employees)
- Employee passwords must not be documented or stored outside of an approved password manager. Employees managing a substantial number of institutional passwords may be eligible for an IWU-provided password manager. Instructions for disabling password retention can be found in this knowledge base article.
- How often do I need to change my password?
(B) PRIVILEGED ADMIN, CONTRACTOR, SYSTEM SERVICE & TEST ACCOUNT PASSWORDS
-
Minimum password character length:
- Privileged Admin Accounts = (16)
- Contractors = (16)
- Test Accounts = (16)
- System Service Accounts = (20)
-
Password Character Requirements, Restrictions, Storage and Management
(Sections 3 and 4 from the Employee / Student password standard are applicable unless otherwise noted below)- All passwords must contain (3) of the (4) following character types:
- (1) upper case letter
- (1) lower case letter
- (1) number
- (1) special character ( for example: ,!$%^&*()_+|~-=\`{}[]:";'<>?,/ )
- Secure Storage
- System service and test account passwords must be documented in an IWU approved secure password manager
- Password Expiration
- Privileged Admin accounts: Any accounts lacking multi-factor authentication (MFA) are subject to expiration with a frequency of every 90 days.
- Test Accounts: Passwords for test accounts should undergo rotation every 90 days unless Multi-Factor Authentication (MFA) is implemented. Regular quarterly audits of all test accounts are required, with inactive accounts being promptly removed from the system.
- Contractor Accounts: Contractors typically are engaged with IWU for a limited period of time. The length of a contractor’s engagement must be communicated to the IAM manager, and any associated accounts should be set to expire on the expected engagement end date. Ongoing contractor support accounts are required to be changed every 90 days.
- System Service Accounts: Passwords are required to be changed upon the departure or role change of an individual with access to a service account. In instances where an appropriate risk assessment has been completed and the risk found to be acceptable this requirement can be waived by the CISO. It is the responsibility of the supervisor of the employee in question to notify the CISO and to discuss the individual case details.
- Duplication of Passwords
- System Service and Test Account Passwords: The same password cannot be used for multiple system, service, or test accounts. This includes utilizing a similar password with a slight variation in each account. (i.e. – Password1!, Password2!, Password3!)
- Privileged user accounts must have unique passwords distinct from their owner's standard user accounts.
- Transmission of Passwords
- Secure Transmission is required: Account passwords must not be transmitted via email, text, or any other digital forms. If unique situations necessitate credential transmission, it must be encrypted using the IWU Secure encryption procedure.
- Default Passwords for Systems and Network Devices
- Default passwords for systems, network devices, embedded devices, IoT (sensors, appliances etc.) devices or infrastructure equipment must be changed before or shortly after connecting the system to the IWU network.
- All passwords must contain (3) of the (4) following character types:
-
Responsibility of Systems Processing Passwords
- Design and Security Standards for Password Handling
- Password Display Restrictions
- Systems, , applications, and websites hosted by or for IWU should be designed to refrain from displaying passwords upon entry. However, a toggle option for visibility may be incorporated as needed.
- Secure Storage Practices
- Passwords must never be stored in a clear, readable format. Robust and brute-force resistant hashing methods or encryption must be consistently employed.
- Restricted Access to Hashed or Encrypted Passwords
- Hashed or encrypted passwords must always remain inaccessible to unauthorized individuals.
- Prohibition of Clear Text Password Storage
- Clear text passwords should never be stored as part of a login script, program, or automated process.
- Usage Instances Requiring Review
- In cases where the aforementioned procedures lack support, it is necessary to submit a formal request for a review of the specific usage scenario to the CISO.
- Password Display Restrictions
- Design and Security Standards for Password Handling
(C) RELATED INFORMATION
-
General Recommendations on Password Creation
- Please view the video below as a tool that can assist any IWU user in selecting a password.
- Individuals shall consider using passphrases, such as a song title, affirmation, or another phrase, since they are relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Secure passphrases shall follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters (for example, !TheTrafficOnI95WasBadThisMorning!).
-
Definitions
- Encrypted Password
- An encrypted password refers to a password that has undergone a process called encryption to protect it from unauthorized access. Encryption is a security technique that transforms information, in this case, a password, into a format that is unreadable without the appropriate decryption key or algorithm. This helps enhance the security of sensitive information, such as user passwords.
- Cracking Dictionary
- A cracking dictionary, often referred to as a password dictionary or word list, is a file or database containing a list of words, phrases, or combinations of characters that are commonly used as passwords. These dictionaries are used by attackers in password cracking attempts to systematically try each entry in the list as a potential password, either through brute-force attacks or more sophisticated methods like dictionary attacks.
- Privileged Admin Accounts
- Privileged admin accounts encompass individuals with elevated access to administer systems, applications, and network devices. Given the heightened value of their administrator access, these accounts are particularly attractive targets for threat actors, posing an increased risk of compromise.
- System Accounts
- These accounts are created to allow systems, applications, processes, or integrations to perform specific functions or tasks within a computer system. System service accounts typically have elevated access rights or privileges to administer systems, applications, and network devices. Due to their elevated privileges, system service accounts can be attractive targets for unauthorized access, making their security crucial.
- Test Accounts
- These accounts created for temporary use in imitating specific roles, individuals, or training scenarios within a system or application. These accounts are valuable for testing the functionality, performance, and security of systems and applications before they are deployed for actual use.
- Password Manager
- A password manager is a software application or service designed to store, manage, and organize passwords for various online accounts and services. Its primary purpose is to help users generate strong, unique passwords for each of their accounts and then securely store and retrieve those passwords as needed.
- Passphrase
- Unlike traditional passwords, which are typically shorter and consist of a combination of letters, numbers, and symbols, passphrases are longer and often composed of multiple words. Example of a passphrase: "1MountainBlueSkyRainyDay!"
- Encrypted Password
Publication Tracking
Author | Madl, Michael , Chief Information Security Officer |
---|---|
Revision Date: | Mon, 08 Jan 2024 - ver.20 |
Notes: | Final Version - Approved by COO |