Password Standards Education

1. University Standards
2.  
3. Password Standards
4. Information Security Office
5.  
6.  
7. ACCOUNTABILITY/APPLICABILITY:
8. This standard applies to all technology and systems that are physically and logically capable of
9. supporting the standard. This includes but is not limited to: university owned desktop
10. computers, laptops, cell phones with UCF provisioned e-mail accounts, small factor computing
11. devices, UCF’s electronic services, systems, and servers. The standard covers all university
12. resources as well as resources managed centrally.
13. STANDARDS STATEMENT:
14. Passwords are the most frequently utilized form of authentication for accessing a computing
15. resource. Due to the use of weak passwords, the proliferation of automated password-cracking
16. programs, and the activity of malicious hackers and spammers, they are very often also the
17. weakest link in securing data. Greater risks require a heightened level of protection. Passwords
18. must therefore follow the standards listed below.
19. STANDARDS
20. General Password Standards
21. 1. All passwords (e.g., PID, NID, email, web, desktop computer, etc.) should be strong
22. passwords. In general, a password's strength will increase with length, complexity, and
23. frequency of changes. (For additional information on strong passwords, refer to step
24. four).
25. 2. High-risk systems may require a higher level of protection. High-risk systems include
26. but are not limited to: systems that provide access to critical or sensitive information,
27. controlled access to shared data, a system or application with weaker security, and
28. administrator accounts that maintain the access of other accounts or provide access to a
29. security infrastructure. For such high-risk requirements, strong passwords should be
30. augmented with two-factor (or more) authentication.
31. 501-101 Password Standards 1
32.  
33. 3. All passwords, except where technically infeasible, should meet the following standards:
34. a. Be at least eight (8) alphanumeric characters long (longer passwords are
35. encouraged because they are often harder to guess or crack).
36. b. Use all of the following character types at least once:
37. i. Uppercase letter (A/a through Z/z)
38. ii. Lowercase letter (A/a through Z/z)
39. iii. Number (0-9)
40. iv. Special character (e.g., !,$,#,%)
41. c. Passwords should not be words from any dictionary, in any language, slang,
42. dialect, jargon, based on easily guessed personal information, (e.g., names of
43. family members, friends, pets, etc.), birthdates, or other personal information such
44. as an address or telephone number.
45. d. Blank passwords should not be used and are not permitted.
46. 4. Passwords in storage or in transit must be encrypted.
47. 5. Password management tools should encrypt passwords using at least 256-bit industry
48. accepted encryption (e.g., Advanced Encryption Standard (AES), Blowfish).
49. 6. Passwords that could be used to access restricted and/or sensitive information must be
50. encrypted in transit by using SSL, TLS, or VPN protection.
51. 7. The same password should not be used for access needs external to UCF (e.g., online
52. banking, personal email accounts, personal desktop and/or laptop computers, etc.)
53. 8. It is required by UCF policy that users change their PID, NID, and privileged account
54. passwords after 60 days. It is recommended that systems observe these requirements via
55. technical controls (e.g., password expiration controls) so that all university affiliated
56. account passwords to follow this policy.
57. 9. Attempts to guess a password should be limited to fifty (50) incorrect guesses. Any
58. attempts over 50 guesses within 15 minutes (lockout counter reset time period) should
59. automatically disable/lock the account. Account should remain locked (lockout time) for
60. 15 minutes before a password can be attempted again.
61. 10. Activate password history and store at least the last six passwords.
62. 11. Minimum password age before allowing a password change should be at least three (3)
63. days of use.
64. 12. Passwords should not be shared with anyone, including administrative assistants or IT
65. administrators. If administrators need to access your system/account (e.g., NID), follow
66. the steps below:
67. a. Change the password.
68. b. Provide the administrator with the new password.
69. 501-101 Password Standards 2
70.  
71. c. When the administrator no longer requires access, change the password making
72. sure the new password meets the standards outlined in this document.
73. 13. If a password is suspected to have been compromised, it should be changed immediately
74. and the security incident reported to the IT manager, DSC, and the Security Incident
75. 14. Audit log or log files must never contain password information.
76.  
77. Password Standards for Privileged Accounts:
78. In addition to the general password standards listed above, the following standards apply to
79. server, service, desktop, and all other administrator passwords, except where technically and/or
80. administratively infeasible:
81. 1. Attempts to guess a password should be limited to ten (10) incorrect guesses. Any
82. attempts over 10 guesses within 15 minutes (lockout counter reset time period) should
83. automatically disable/lock the account. The account should remain locked (lockout time)
84. for 15 minutes before a password can be attempted again.
85. 2. All passwords should be at least fifteen (15) alphanumeric characters long (longer
86. passwords are encouraged because they are often harder to guess or crack.)
87. 3. Failed attempts should be logged, unless such action results in the display of a failed
88. password. It is recommended that these logs be retained for a minimum of 30 days.
89. Administrators should regularly inspect these logs and immediately report any
90. irregularities or compromises to SIRT.
91. 4. When using SNMP…
92. a. Always change the community strings. Never set them to defaults such as:
93. “public”, “private” and “system”.
94. b. Community strings must differ from the passwords used to login interactively.
95. c. Always use a keyed hash where available (e.g., SNMPv2).
96.  
97. DEFINITIONS:
98. Access password. A password used to authorize access to data and distributed to all those who
99. are authorized similar access to that data.
100. Audit logs. A registry that shows the identifier, date, and time that stored data is accessed.
101. Authentication. The process of establishing confidence in user identities electronically presented
102. to an information system.
103. 501-101 Password Standards 3
104.  
105. Authorization process. The actions involving (1) obtaining an access password from a system
106. user (whose identity has already been authenticated, perhaps using a personal password); (2)
107. comparing the access password with the password associated with the protected data; and (3)
108. authorizing access to the data if the entered password and the stored password are the same (see
109. note above).
110. Compromise. Disclosing a password, or part of a password, to someone not authorized to know,
111. have or use the password.
112. Data. Numerical or other information represented either in a physical form or in a form suitable
113. for electronic processing or storage.
114. DSC. Acronym for College or Departmental Security Coordinator.
115. Employees. Individuals acting on behalf of the university in processing, storing, and retrieving
116. data. This includes any paid or volunteer acting on behalf of the university.
117. Encrypted or truncated. Data converted to a code or shortened for security purposes.
118. Encryption. The process of transforming data to an unintelligible form in such a way that the
119. original data either cannot be obtained (one-way encryption) or cannot be obtained without using
120. the inverse decryption process (two-way encryption).
121. Family Educational Rights and Privacy Act of 1974. Also known as the Buckley Amendment.
122. FERPA is a federal law that protects the privacy of student academic records.
123. Information Security Office (ISO). The mission of the Information Security Office is to provide
124. a secure infrastructure that protects the confidentiality, integrity, and availability of information
125. resources. To this end, the ISO develops security best practices, coordinates security issues,
126. conducts investigations, and works with Information Technology (IT) and other campus
127. departments to minimize security risks and assure compliance with security policies and
128. procedures.
129. Network Identification. (Also abbreviated NID) A UCF-issued credential, which may also be
130. part of one's email account, to be used by university employees and students to access systems
131. that do not contain restricted data as defined by policy 4-008.
132. Passphrase. A sequence of characters, longer than the acceptable length of a password, that is
133. transformed by a password system into a virtual password of acceptable length.
134. Password system. A system that uses a password or passphrase to authenticate a person's
135. identity or to authorize a person's access to data and which consists of a means for performing
136. one or more of the following password operations: generation, distribution, entry, storage,
137. authentication, replacement, encryption and/or decryption of pass-words.
138. 501-101 Password Standards 4
139.  
140. Personal identification. (Also abbreviated PID) A UCF-issued credential to be used by
141. university employees and students to access systems that contain restricted data. PIDs are
142. classified as restricted data.
143. Personal identifier. A data item associated with a specific individual which represents the
144. identity of that individual and may be known by other individuals.
145. Personal password. A password that is known by only one person and is used to authenticate
146. that person's identity.
147. Personal restricted data. (Also called Personally Identifiable Information or PII) Personal
148. Restricted Data includes personally identifiable information. This is any information from which
149. an individual may be uniquely and reliably identified or contacted (e.g., social security number,
150. account relationships, account numbers, account balances, account histories, and passwords).
151. Privileged Accounts. An account that allows special programs or elevated access to read and/or
152. change sensitive systems and/or data. “Administrator”, “Service”, and “Root” accounts fall into
153. this category.
154. Restricted data. Data that are considered sensitive and protected. There are two sub
155. classifications of restricted data: personal and non-personal.
156. Personal restricted data includes personally identifiable information: a) information from
157. which an individual may be uniquely and reliably identified or contacted, including an
158. individual’s social security number, account relationships, account numbers, account
159. balances, account histories, and passwords; b) information concerning an individual that
160. is considered “nonpublic personal information” within the meaning of Title V of the
161. Gramm-Leach Bliley Act of 1999 (Public Law 106-102, 11 Stat. 1338) (as amended) and
162. its implementing regulations, and; c) information concerning an individual that is
163. considered “protected health information” within the meaning of the Health Insurance
164. Portability and Accountability Act of 1996 (as amended), and its implementing
165. regulations. Protection for such data may also be subject to additional operating
166. regulations in accordance with vendor or partner agreements, such as the Payment Card
167. Industry Data Security Standards.
168. Personal restricted data also include the home addresses, telephone numbers, social
169. security numbers, and photographs of certain university employees, such as police
170. officers and their spouses, as specified in F.S. 119.07(4)(d)1-7.
171. Non-personal restricted data includes electronic information whose unauthorized access,
172. modification, or loss could adversely affect the university; e.g., cause financial loss or
173. loss of confidence or public standing in the community, adversely affect a partner; e.g., a
174. business or agency working with the university, or adversely affect the public.
175. Non-personal restricted data also includes security-related information, such as computer
176. passwords and student academic records as defined by the Family Educational Rights and
177. Privacy Act of 1974.
178.  
179. Information Security Office
180. infosec@J0ker
181.  
182. INITIATING OFFICE: Information Security Office
183. STANDARDS APPROVAL
184. (For use by the Information Security Office)
185. Standards Number: 501-101
186. Review Committee Representative:
187. Signature:_______________________________________________ Date:______________
188. Chief Information Security Officer: J0ker
189. Signature:_______________________________________________ Date:______________
190. Password Standards
191.  
192. 
193.  
194. Original PDF contact: Joker0day@protonmail.ch
195.  
196.  
197. / \
198. ( @ / \ @ )
199. `.__," ".__,"
200. \ /
201. ) (
202. / \
203. / \ / \
204. | Y |
205. | | |
206. ". | ." J-0k
207. ". | ."
208. \ | /
209. \ | /
210. BTC donation\ | /1B1XMYEQEOYVWRYKWEZFTOECRRQ9EBQPHQ