TECH:TIPS:PASSWORD
path: CATEGORY: > CATEGORY:NUWIKI > TECH:TIPS:PASSWORD

Security

Tech Tips: Password

The following is recommended as best practices by the Information Security Office.

Minimum Passwords Requirements:

  • Passwords should have a minimum length of 8 characters.
  • Passwords should contain at least 3 of the 4 items below.
  • At least one English upper case character (A-Z)
  • At least one English lower case character (a-z)
  • At least one digit (0-9)
  • At least one special character allowable by the Operating System or Application (e.g., @, ! # $ % ^ & * ( ) + = - _ )
  • Passwords should not be stored or transmitted in clear text format.
  • Passwords should not be reset to an existing or same password.
  • Where possible, passwords should not be stored in any easily reversible form.

Password Management Recommendations:

  • Administrators should log all incorrect password attempts and monitor logs on a regular basis for suspicious or unusual activity such as potential compromise.
  • Suspicious or unusual activity should be investigated by Administrators and appropriate action taken.
  • Based on the circumstances, appropriate action may include contacting the user, disabling the account and contacting the security officer.
  • Use unique passwords for all group accounts and/or privileged accounts.
  • Reset all default system and/or application passwords to meet minimum password requirements.
  • All system-level passwords (e.g., root, Administrator) should be changed when an individual who knows the password either departs the organization or transfers to a new role that no longer requires the previous system-level access.

Additional best practices to be considered:

  • Users may log on to change passwords or use an approved password reset tool to change passwords.
  • After either a suspected or confirmed intrusion due to a compromised password, please notify the Information Security Office. You may consider forcing a password change for all accounts at next login.
  • Users may be allowed to reset passwords immediately to minimize the risk associated with the default password assignments.
  • Users should not be allowed to login automatically without typing a password.
  • Passwords should not be reset to any of the previous six passwords used for the affected account.
  • Consider additional password strength requirements such as periodic expirations of passwords for accounts with access to sensitive information and/or information governed by policy or legal requirements.
  • Set security group level of users who do not require update privilege to READ only.

See also