Password Policies and Guidelines
Password Policies and Guidelines

Overview
The protection of confidential student information and other sensitive data on our network is a fundamental responsibility of every employee at California Western. Passwords are the keys that control access to this information. Consistent with widely accepted best practices, California Western has a password policy to insure that only the user (you!) knows his or her own password. The purpose of this policy is to reinforce information security by establishing a strong but reasonable password management practice that follows common guidelines recommended by security professionals.

What this password policy means for you:

Password Complexity Requirements and Policies


1. Passwords shall be a minimum of eight characters in length for general users, and a minimum of 10 characters for users with elevated privileges (network, server, and database administrators, etc.).

2. Passwords shall consist of at least three of the following four character sets:

3. Passwords shall be changed every 180 days (6 months).
 


4. Passwords must be unique for all password protected areas. Do not use the same password for different areas (i.e. computer systems, applications, personal accounts, etc.).

5. Passwords that are based on your name, userID, birthdates, addresses, phone numbers, relatives’ names, pets, or any other personal information are not allowed. Also, do not use repetitive characters (e.g. “4444” or “jjj”, etc.) in your password.


How to Select Strong AND Easily Remembered Passwords

The best password is one that is
a) easy to remember and type (so you are not tempted to write it down somewhere), and b) difficult to crack. Unfortunately, with traditional passwords those two criteria tend to work against each other. The current best practice security and password standards is the use of the pass-phrase, rather than the traditional one-word password. A pass-phrase can be both extremely easy to remember, quick and easy to type, yet extremely difficult to crack. For example, consider the following pass-phrases:


These pass-phrases are easy to conceive, easy to remember and type (since they can be constructed from real words you commonly use and type), and they satisfy the aforementioned password complexity requirements. Most importantly, although they appear to be simple sentences, they are extremely difficult to compromise with password-cracking software due to the number and diversity of characters. Studies have demonstrated that pass-phrases with 10 characters or greater become extremely difficult to crack during a password’s life span, and pass-phrases of 14 characters or greater are astronomically difficult to crack. Even the shortest example pass-phrase above is greater than 14 characters. Information Technology highly recommends the use of a pass-phrase as your password!

Note: Do not use the example pass-phrases provided above. Be creative!

Practical Strategies for Protecting Passwords


Exceptions


Tips and Recommendations

The following tips and recommendations can help you ease your transition to the new password policy:

Why A Strong Password Policy is Necessary

Password Attacks
The Internet is becoming an increasingly hostile environment to conduct business. In addition to worms, viruses, mal-ware, spy-ware, and other types of intrusion attempts, password attacks on businesses and academic institutions are becoming more frequent and more sophisticated. Attackers can use programs that will attempt to break a password requiring very little effort by the attacker. These are known as dictionary attacks and brute force attacks. However, these types of password attacks become exponentially more difficult to perform as the length and complexity of a password grows. Therefore, by establishing a reasonable password complexity standard we can significantly decrease the likelihood of successful password attacks using the aforementioned methods.

Password Privacy
Another method that an attacker may use to gain knowledge of a password is through the tactic known as social engineering. This refers to the non-technical method of creating a scenario in which the victim freely gives his or her password to the “hacker”. A classic example of this tactic is for the hacker to send a “forged” email claiming to be a system administrator. The hacker will claim to need your password for some important system administration work, and ask you to email it to him/her. Often the hacker will send this message to every user on a system, hoping that one or two users will fall for the trick. Educating the user community and establishing some guidelines for password privacy will help to protect against these types of exploits.

Password Aging
If a password is somehow compromised, the last line of defense is a password aging policy that will render the password useless after a pre-determined period of time. The idea behind password aging is that a password is less likely to be compromised if it is changed regularly, or that the exposure from such a compromise will be reduced. A shorter password lifespan also reduces the exposure to prolonged password attacks and social engineering tactics.

Summary

Gaining knowledge of a password is the most common method that hackers use to compromise security and access confidential information. Preventing password compromise begins with the establishing of a strong, enforceable password policy.

A strong password policy is a fundamental component of the security equation. The preceding concepts along with currently accepted security “best practices” guidelines have been used to create this password policy for the California Western computer network.