• About Us
• Services
• Labs & Facilities
• Help & Instruction
• Policies, Procedures & Standards
• Search
  CCC site only
  All WPI IT sites
  
• CCC Home
• Quick Links
  • Helpdesk
  • Software Instruction
  • Network Operations
  • Telecommunications
  • Web Information System

Password Standard

Purpose

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of WPI's entire university network. As such, all WPI employees (including contractors and vendors with access to WPI systems) and students are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Scope

This policy covers all wireless data communication devices (e.g. personal computer, cellular phones, PDA's, etc.) connected to any of WPI's internal networks. This includes forms of wireless communication device capable of transmitting packet data. Wireless devices and/or networks with any connectivity to WPI's networks do not fall purview of this policy.

Standard

1. The owner of a username is responsible for all actions performed by that username, so it is important to keep your password secure.
2. Adhere to the Guidelines for Secure Password Creation
3. Change all passwords at least every 180 days. The recommended change interval is every four months.
4. Create groups and assign rights to groups. All people belonging to a specific group have the access rights assigned to the group. Manage group names & group access to assign appropriate access to individuals.
5. Setup accounts for each user with appropriate system-level privileges. Each person has their own account. Only one person has access to each account. Business units work with systems administrators to define access to each employee's unique credentials & meet the business needs.
6. Here's a list of "don'ts":
   • Do not use the same password for WPI accounts as for other non-WPI access (e.g. personal ISP account, optional trading, benefits, etc.) Where possible, don't use the same password for various WPI access needs. For example, select one password for central-IT-managed systems and a different password for other WPI systems. Apply the same philosophy with web-based vendor accounts.
   • Do not share WPI passwords with anyone, including managers, co-workers, administrative assistants, system administrators, and the HelpDesk. All passwords are to be treated as sensitive, confidential WPI information.
   • Don't talk about a password in front of others.
   • Don't hint at the format of a password (e.g. "my family name").
   • Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
   • Don't reveal a password on questionnaires or security forms.
   • Don't share a password with family members.
7. If someone demands a password, or needs access to shared files, refer them to the HelpDesk.
8. If an account or password is suspected to have been compromised, report the incident to the Information Security Office.
9. Password cracking or guessing may be performed on a periodic or random basis by the Information Technology Division or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.
10. Change or disable all vendor-supplied, default passwords, or similar "published" access codes for all installed operating systems, database management systems, network devices, application packages.
11. Forgetting to log out-all the way out-is like sharing your password with the world. Your user name and password is your means of protecting your paycheck, social security number, and other private information. Always log out, especially at a public kiosk. Even at home or in your office, a hacker can reach your computer through the Internet, if you leave the door open.
12. When your desktop machine is left on in an unsecured area (such as an unlocked office) protect it with a password-based screen saver and physically secure it as well.
13. Application development standards
    Application developers ensure their programs contain the following security precautions.
    
• Support authentication by individual credentials. Where possible, authenticate to university credentials. Credentials are not stored or held within the application.
• Do not store passwords in clear text or in any easily reversible form.
• Provide some sort of role management, such that one user can take over the function of another without having to know the other's password.
• Provide TACACS+, RADIUS and/or X.509 with LDAP security retrieval, whenever possible.
14. The Information Security Office periodically scans for weak passwords and reserves the right to inactivate the users account until the password is reset to a secure password.

Revision:

• The Information Technology Division endorsed this standard in October 2007.
• The faculty Committee on IT Policy endorsed this standard on January 15, 2008.

Please visit the Data Security site for references and information on other Data Security standards.

Maintained by itweb
Last modified: Dec 03, 2008, 16:40 UTC

Computing and Communications Center - Worcester Polytechnic Institute
100 Institute Road, Worcester, MA 01609-2280
Phone: +1-508-831-5136 - Fax: +1-508-831-5483 - itweb