Director, Technology and Information Systems
over 2 years ago
By Jefferson Davis
Geolocation services provided by Texas A&M University GeoServices
Information Systems - Password Guidelines
over 2 years ago
Passwords are a critical part of information and network security. Passwords serve to protect user accounts but a poorly chosen password, if compromised, could put the entire network at risk. As a result, all employees of The Standard School District should take appropriate steps to ensure that they create strong, secure passwords and safeguard them at all times. The purpose of these guidelines is to set a standard for creating, protecting, and changing passwords such that they are strong, secure, and protected.
These guidelines apply to all employees of the District who have or are responsible for a computer account, or any form of access that supports or requires a password, on any system that resides at any District facility, or has access to The Standard School District's network.
What is a password? Your computer password is your personal key to a computer system. Passwords help to ensure that only authorized individuals access computer systems. Passwords also help to determine accountability for all transactions and other changes made to system resources, including data. If you share your password with a colleague or friend, you may be giving an unauthorized individual access to the system and may be held responsible for their actions. What if the individual gives your password to someone else? What if some of your files are deleted or otherwise rendered unusable? Are you willing to take the blame if an unauthorized individual uses your access privileges to damage the information on the system or to make unauthorized changes to data?
Authentication of individuals as valid users, via the input of a valid password, is required to access any shared computer information system. Each user is accountable for the selection, confidentiality and changing of passwords required for authentication purposes. Since you are responsible for picking your own password, it is important to be able to tell the difference between a good password and a bad one. Bad passwords jeopardize information that they are supposed to protect. Good ones do not.
Your password should not be the same as your User/LogonID, an anagram of your User/LogonID or a palindrome of your User/LogonID. If you have access to a number of systems that require the entry of a password, such as the mainframe computer and a Local Area Network (LAN), try not to use the same password for both systems. A good password is relatively easy to remember but hard for somebody else to guess. There are a variety of techniques you can use to choose secure passwords. Listed below are some examples of creating passwords.
- Passwords should be changed every 60 days.
- Old passwords should not be re-used for a period of 6 months.
- All passwords should conform to the guidelines outlined below.
Password Construction Guidelines
Passwords are used to access any number of District systems, including the network, e-mail, the Web, and voicemail. Poor, weak passwords are easily cracked, and put the entire system at risk. Therefore, strong passwords are required. Try to create a password that is also easy to remember.
- Passwords should not be based on well-known or easily accessible personal information.
- Passwords should contain at least 8 characters.
- Passwords should contain at least 5 uppercase letters (e.g. N) or 5 lowercase letters (e.g. t) or a combination of both.
- Passwords should contain at least 2 numerical characters (e.g. 5).
- Passwords should contain at least 1 special characters (e.g. $).
- A new password should contain at least 5 characters that are different than those found in the old password, which it is replacing.
- Passwords should not be based on users' personal information or that of his or her friends, family members, or pets. Personal information includes logon I.D., name, birthday, address, phone number, social security number, or any permutations thereof.
- Passwords should not be words that can be found in a standard dictionary (English or foreign) or are publicly known slang or jargon.
- Passwords should not be trivial, predictable or obvious.
- Passwords should not be based on publicly known fictional characters from books, films, and so on.
- Passwords should not be based on the company's name or geographic location.
Following are examples of some techniques for creating passwords.
1. Use a word with one or two digits embedded in it.
Examples: HOU32SE#, MON42DAY, TAB87LE%
2. Make up an acronym based on a nursery rhyme, a favorite song or movie, or a sentence.
MHALL76# - Mary Had A Little Lamb
MDHF#88- My Dog Has Fleas#
OTGDY4*8 - Only The Good Die Young (Billy Joel)
TERM2*12 - Terminator 2
3.Use a three character pronounceable word suffixed or prefixed with a one- or two-digit suffix or prefix.
DAM56, WAR34, 56DIG
4. Make up nonsense words that mean something to you by combining the first syllables of two words. However, avoid using standard abbreviations like "jan, feb, mar, etc." as part of your password.
PUBPOL5% - Published Policy
5. Drop vowels or drop everything but the first 6 letters of a long word or two words.
CLNDSK1# - clean desk
DEDICA5% - dedication
HOMEWO# 9- home work
6. Use special characters like #, $, and @. These too, can be inserted anywhere.
Example: UNI$VER9 - university
7. Misspell a word, drop a couple of letters or add some.
MISTIFI@ - mystify
CELLEB59 - celebrate
RNYDY$17 - rainy day
8. Be creative! Try to choose a pattern that has meaning for you but that no one else can guess. For example, you might use upcoming events in your life. If you or one of your children has a major essay to write next month, you might create a password reflecting that event.
Example: MAJESS+7 - Major essay
Or if your 4th cousin, twice removed, is coming for a visit you might create a password such as the following one.
9. Another pattern could be to choose meaningful words with a minimum of 10 letters and always use only the first 6 letters. Then add a special character as one of the characters Note: Some systems have restrictions as to which special characters can be used as part of a password.
ANNIVE$0 - anniversary
UNBEND# 9- unbendable
@UNBEND1 - unbendable
The best password is one that is a random combination of numeric and alphabetic characters and special characters.
On systems which allow upper case and lower case letters, use a combination of upper and lower case characters for your password.
Password Protection Guidelines
- Passwords should be treated as confidential information. No employee is to give, tell, or hint at their password to another person, administrators, superiors, other co-workers, friends, or family members, under any circumstances.
- If someone demands your password, refer him or her to these guidelines or have him or her contact the IT Department.
- Passwords should not be transmitted electronically over the unprotected Internet, such as via e-mail. However, passwords may be used to gain remote access to company resources via the company's IPsec-secured Virtual Private Network or SSL-protected Web site.
- No employee is to keep an unsecured written record of his or her passwords, either on paper or in an electronic file. If it proves necessary to keep a record of a password, then it must be kept in a controlled access place if in hardcopy form or in an encrypted file if in electronic form.
- Do not use the "Remember Password" feature of applications and do not create a "hot key" for password use.
- Passwords used to gain access to company systems should not be used as passwords to access non-company accounts or information.
- If possible, don't use the same password to access multiple company systems.
- If an employee either knows or suspects that his/her password has been compromised, it must be reported to the IT Department and the password changed immediately.
- Do not use any of the password examples shown in this document
- Finally, please remember that there is no need to share IDs and passwords. Anyone who needs and qualifies for access to a computer system should submit a request for his or her own LogonID and password.