Password Policies and Guidelines
Password Policies and Guidelines
The protection of confidential student information and other sensitive data on
our network is a fundamental responsibility of every employee at California
Western. Passwords are the keys that control access to this information.
Consistent with widely accepted best practices, California Western has a
password policy to insure that only the user (you!) knows his or her own
password. The purpose of this policy is to reinforce information security by establishing a strong but reasonable password
management practice that follows common guidelines recommended by security professionals.
What this password policy means for you:
- You and only you will know your Windows network logon password.
- If you forget your password, you must contact Information Technology to request a password reset.
- You will not be able to select a short, trivial password. Passwords must meet complexity requirements (see below). The system will automatically reject your attempt to change a password to one that does not meet the complexity requirements.
- You will be required to change your password every 180 days (6 months). Windows will prompt you prior to the password expiration deadline. Keep in mind that you can change your password more often than every 180 days, if you choose.
- You will not be able to reuse a password you used previously.
Password Complexity Requirements and Policies
1. Passwords shall be a minimum of eight characters in length for general users, and a minimum of 10 characters for users with elevated privileges (network, server, and database administrators, etc.).
2. Passwords shall consist of at least three of the following
four character sets:
- Lowercase alpha characters (e.g. a, b, c, d, e)
- Uppercase alpha characters (e.g. A, B, C, D, E)
- Numbers (e.g. 1, 2, 3, 4, 5)
- Special symbol or punctuation characters (e.g. ! @ # $ % & * _ + ~ . ,>)
Note: embedded space characters are allowed in a Windows password.
3. Passwords shall be changed every 180 days (6 months).
- You will automatically be prompted to change your password on your office
workstation (other devices do not have this capability).
- You will not be able to re-use a password
- Note: You may change your password at any time by hitting Ctrl-Alt-Del. You need not wait to be prompted or notified by the system to change your password.
- Please keep in mind that any time you change your password you will need
to change it on any and all devices that use a CWSL password, including
smartphones, tablets, laptops.
- If you need to change your password but logging into your office
workstation is not an option, log into the Outlook Web App site (https://webmail.cwsl.edu).
You can change your password from the Outlook webmail site.
4. Passwords must be unique for all password protected areas. Do not use the same password for different areas (i.e. computer systems, applications,
personal accounts, etc.).
5. Passwords that are based on your name, userID, birthdates, addresses, phone numbers, relatives’ names, pets, or any other personal information are not allowed. Also, do not use repetitive characters (e.g. “4444” or “jjj”, etc.) in your password.
How to Select Strong AND Easily Remembered Passwords
The best password is one that is
a) easy to remember and type (so you are not tempted to write it down somewhere), and
b) difficult to crack. Unfortunately, with traditional passwords those
two criteria tend to work against each other. The current best practice security and password standards is the use of the
pass-phrase, rather than the traditional one-word password. A pass-phrase can be both extremely easy to remember, quick and easy to type, yet extremely difficult to crack. For example, consider the following pass-phrases:
- I love my puppy!!!
- We won the game!
- Stars in the sky*
- Time for sushi & beer
- Sunset at the beach!
These pass-phrases are easy to conceive, easy to remember and type (since they can be constructed from real words you commonly use and type), and they satisfy the aforementioned password complexity requirements. Most importantly, although they appear to be simple sentences, they are extremely difficult to compromise with password-cracking software due to the number and diversity of characters. Studies have demonstrated that pass-phrases with 10 characters or greater become extremely difficult to crack during a password’s life span, and pass-phrases of 14 characters or greater are astronomically difficult to crack. Even the shortest example pass-phrase above is greater than 14 characters. Information Technology highly recommends the use of a pass-phrase as your password!
Note: Do not use the example pass-phrases provided above. Be creative!
Practical Strategies for Protecting Passwords
- All passwords should be treated as confidential CWSL information.
- Do not use a password on campus that you use for non-campus access. Your CWSL login password should be unique from every other password you use.
- Do not share your passwords with anyone, including supervisors, administrative assistants, consultants, and technology service providers.
- Never ask someone else to give you his or her password.
- Any and all passwords known to a temporary employee must be changed immediately upon termination of employment with California Western, or upon relocation of the temporary employee to another department.
- Information Technology will never send you an email message asking for your password. If you ever receive such a request, consider it a forgery (i.e. a phishing scam). Disregard any such messages you may receive.
- Do not write passwords down or store them anywhere in your office. Do not store passwords in a file on any computer system (including PDAs or similar devices) without using strong encryption.
- Be mindful of who is around you or looking over your shoulder when typing your password.
- Do not use sample passwords, such as the ones included in this guide.
- You are responsible for the security of your password(s), and you are accountable for any misuse if they are guessed, disclosed, or compromised.
- If you suspect your account or password has been compromised, report the incident to Information Technology and change your password immediately. You can change your Windows logon password yourself at any time by using the Ctrl-Alt-Del key sequence. You do not need to wait until you are prompted to change your password!
- For systems and applications that have a maximum password length of less than eight characters, that maximum length should be used as the minimum accepted password length.
- Some systems do not allow passwords with embedded space characters. Windows logon passwords do allow these characters, as well as any others, and you are encouraged to use these characters in your password(s) wherever possible.
Tips and Recommendations
The following tips and recommendations can help you ease your transition to the new password policy:
- Learn to change your password at a time convenient for you! For example, change it prior to each trimester, or before a leave of absence or sabbatical. Doing so will greatly reduce the likelihood that you will need to contend with changing your password while traveling or during a busy phase of a trimester.
- Use pass-phrases! As mentioned previously, these make it easy to comply with complexity requirements while keeping it easy to remember and type.
- Avoid creating passwords based on a single theme. This is a common problem. When choosing a new password (or pass-phrase), create a completely different, unrelated password each time. For example, if your pass-phase is Follow the leader!, then you change it to Following the leader!, then Follow the leaders!, then Follow the leader!!, it can become more difficult to remember what your password actually is. On the other hand, if you create a completely new and unique password each time, you will not become confused with previous, similar passwords.
Why A Strong Password Policy is Necessary
The Internet is becoming an increasingly hostile environment to conduct business. In addition to worms, viruses, mal-ware, spy-ware, and other types of intrusion attempts, password attacks on businesses and academic institutions are becoming more frequent and more sophisticated. Attackers can use programs that will attempt to break a password requiring very little effort by the attacker. These are known as dictionary attacks and brute force attacks. However, these types of password attacks become exponentially more difficult to perform as the length and complexity of a password grows. Therefore, by establishing a reasonable password complexity standard we can significantly decrease the likelihood of successful password attacks using the aforementioned methods.
Another method that an attacker may use to gain knowledge of a password is through the tactic known as social engineering. This refers to the non-technical method of creating a scenario in which the victim freely gives his or her password to the “hacker”. A classic example of this tactic is for the hacker to send a “forged” email claiming to be a system administrator. The hacker will claim to need your password for some important system administration work, and ask you to email it to him/her. Often the hacker will send this message to every user on a system, hoping that one or two users will fall for the trick. Educating the user community and establishing some guidelines for password privacy will help to protect against these types of exploits.
If a password is somehow compromised, the last line of defense is a password aging policy that will render the password useless after a pre-determined period of time. The idea behind password aging is that a password is less likely to be compromised if it is changed regularly, or that the exposure from such a compromise will be reduced. A shorter password lifespan also reduces the exposure to prolonged password attacks and social engineering tactics.
Gaining knowledge of a password is the most common method that hackers use to compromise security and access confidential information. Preventing password compromise begins with the establishing of a strong, enforceable password policy.
A strong password policy is a fundamental component of the security equation. The preceding concepts along with currently accepted security “best practices” guidelines have been used to create this password policy for the California Western computer network.