Password Standard Policy
To provide clear guidance and present best practice for the creation of strong passwords, the management and protection of those passwords, and the frequency of change.
This policy applies to all ACK Information Technology equipment, systems and applications which are capable of being password protected.
Required Characteristics of Passwords
- A password or passphrase or other strong authentication must be used for all devices supporting authentication and password authenticated software connected to ACK network.
- Blank passwords are not allowed.
- A password or passphrase must be six or more characters long. Longer passwords are even better to protect against automated programs that try all the possible combinations of characters (called “brute force cracking”).
- Passwords or passphrases must be periodically changed as required by each system, but at least twice annually.
- A password or passphrase must be complex (e.g. include a combination of character types such as numbers, special characters, lower case letters, upper case letters, non-keyboard characters) to help protect against automated cracking.
- A minimum of three types of characters (e.g. lower case letters, numbers, special) should be used for passwords.
- Systems should protect against “brute force” password guessing programs from the network and Internet. Whenever possible, systems should lock a user's account if the user fails to login to the system within a specified number of attempts. The lockout may either be for a designated amount of time or until the account is reset.
Active Directory Password Requirements
- Maximum password age = 180 day
- Enforce password history = 10 passwords
- Minimum password age = 1 days
- Minimum password length = 6 characters
Passwords complexity requirements
- Is not based on the user’s account name.
- Contains at least 6 characters.
- Contains characters from three of the following four categories:
- Uppercase alphabet characters (A–Z)
- Lowercase alphabet characters (a–z)
- Arabic numerals (0–9)
- Non alphanumeric characters (for example, !$#,%)
Active Directory Account Requirements
- Account lockout threshold = 5 invalid attempts
- Account lockout duration = 30 minutes
- Reset account lockout counter after = 30 minute
Events Necessitating Password Change
- Unauthorized password discovery or usage by another person.
- System compromise (unauthorized access to a system or account).
- Insecure transmission of a password, for example via email or instant message. (Even an email transferred via secure Post Office Protocol (POP) or Secure Internet Message Access Protocol (S-IMAP) could be compromised at the Simple Mail Transport Protocol (SMTP) level or read while in your inbox- change the password anyway).
- Accidental disclosure of password to an unauthorized person.
- Replacement of account user with another individual requiring access to the same account.
- Password is provided to IT support staff to resolve a technical issue (It is strongly recommended that IT support staff request an end-user password as a last resort).
- A password is provided to the end-user and the system administrator knows the password. For example, the system administrator provides a new account password or has to reset an account password.
Consequences of Violations
- Violation of this standard could result in loss of access to applications or to the ACK network or personnel disciplinary actions.
TERMS AND DEFINITIONS
- Brute force (brute force cracking): Is a trial and error method used by application programs to decode encrypted data such as password.
- Information: Any data in an electronic format that is capable of being processed or has already been processed.
- Information Technology Resources: Includes all computer facilities and devices, networks and data communications infrastructure, telecommunications systems and equipment, internet/intranet and email facilities, software, information systems and applications, account usernames and passwords, and information and data that are owned or leased by ACK.
- Active Directory (AD): Is a directory service that Microsoft developed for Windows domain networks.
- Systems Administrators: The individuals responsible for the day to day management of ACK network domain that have been authorized to create and manage user accounts and passwords.
- Password: A string of characters that a user must supply in order to gain access to an IT resource.
- Users: Any authorized individual who uses ACK IT resources.
© Copyright 2017. ACK. All Reserved.