General

The policy below was established to create a minimum standard for user IDs and passwords.  This policy applies to all departments and divisions within West Chester University.

Policy

Departments will implement the following access controls to standardize user IDs and passwords in all computer systems and application environments including desktops, notebooks, LANs, and networks).

If an department is unable to comply with this policy, the respective Director/Department Chair must provide a written explanation and plan for resolution to the Vice President of Information Services.

In addition, if an department is not able to comply with any part of this policy, and wishes to request an exemption, this explanation and request must also be forwarded to the VP of Information Services.  A response will be given to all department inquiries within 10 days of receipt.

 User IDs: Must be unique and identifiable by user.

• Deletions - Once a user ID is deleted, it cannot be re-issued.

• Historical Record - Each department must maintain a historical record of all user IDs issued. This record must identify the person associated with the user ID, and the timeframe during which the user ID is/was valid.

• Expiration Days - user IDs that are inactive for 180 consecutive days should be deleted or disabled from the security system.

• Access Attempts - user IDs should be disabled after a maximum of 5 consecutive invalid access attempts, with 3 attempts being the preferred limit.

• Inactivity Timeout - Workstations should be LOCKED after a specific period of inactivity (15 minutes).  Users will always need to enter their password manually to unlock their workstation.  For purposes of security, employees must not attempt to add their passwords to the autoexec.bat file, or any other batch file or program.

• Disclaimer - A disclaimer should:

  • List, or refer to, a WCU employee's responsibilities relative to the use of the password, WCU information accessed, and equipment used (PCs or other information technology equipment).

  • Indicate that passwords and data are confidential.

  • Include a signature line for the user. All users must sign the disclaimer(s) to acknowledge their responsibilities.

PASSWORDS: Must be comprised of a minimum of 8 alphanumeric characters.

• Source - It is preferred that departments issue system-generated (or third-party software generated) passwords, and avoid the use of a proper name or term that can be easily associated with the individual.   
• Change Interval - Passwords must be changed by the user every 90 days. Also, users must be able to change their password in the event that they believe it has been compromised, however, the system should limit changes to no more than once per day.
• # of Prior Passwords - The system should retain a minimum of 3 prior passwords (where technically feasible) to prevent the re-use of prior passwords.

System Access Control – normally related to networked applications

End-User Passwords

Users must choose passwords that are difficult to guess. Passwords must NOT be related to one's job or personal life. Do not use a car license plate number, a spouse's name, or fragments of an address. Passwords must not be a word found in the dictionary. In addition, proper names, places, technical terms, and slang must not be used. Where available, systems software must block and prevent usage of easily guessed passwords.

Users should apply the following techniques in choosing passwords that are difficult for unauthorized parties to guess such as:

String several words together (the resulting passwords are also known as "pass-phrases").

1. Shift a word up, down, left, or right one row on the keyboard.

2. Bump characters in a word a certain number of letters up or down the alphabet.

3. Transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word.

4. Combine punctuation or numbers with a regular word.

5. Create acronyms from words in a song, a poem, or another known sequence of words.

6. Deliberately misspell a word (but not a common misspelling).

Users must not construct passwords that are identical (or substantially similar to) passwords they have previously employed. Where available, systems software must block and prevent password reuse.

Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. For example, users must NOT employ passwords like "X34JAN" in January, "X34FEB" in February, etc. 

Readable form passwords must not be stored in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them.  Passwords must be assigned to specific authorized users and not accessible by anyone other than the authorized user.  Non-repudiation depends on the unavailability of a password to anyone other than the authorized user.  Administrator passwords can be archived in a secured location with access limited only to only authorized users.

Passwords must not be written down and left in a place where unauthorized persons might discover them except for initial password assignment and password-reset situations. If there is reason to believe that a password has been disclosed to someone other than the authorized user, the password must be immediately changed.

Passwords must never be shared or revealed to anyone else besides the authorized user regardless of the circumstances. Revealing a password exposes the authorized user to the responsibility for actions that another party takes with the disclosed password. When users need to share computer resident data, they should use electronic mail, public directories on local area network servers, or other mechanisms.

This policy does not prevent the use of default passwords--typically used for new user-ID assignment or password reset situations--which are then immediately changed when the user next logs in to the system.

All passwords must be immediately changed if they are suspected of being disclosed, or are known to have been disclosed, to anyone other than the authorized user.

Password System Set-Up

All computers permanently or intermittently connected to WCU networks, including portable devices, must have password access controls. Multi-user systems must employ unique user IDs and passwords, as well as user privilege restriction mechanisms. Network-connected, single-user systems must employ hardware or software mechanisms that control system booting and include a no-activity screen blanker.  Future technology providing the same, or a greater, level of security, as password access controls will be reviewed.

Computer and communication system access control must be achieved via passwords that are unique to each individual user. Shared passwords (also called "group passwords") are prohibited when the intent is to access files, applications, databases, computers, networks, and other system resources.

Systems software should be used to mask, suppress, or otherwise obscure password fields to prevent the displaying and printing of passwords. Additional precautions may be necessary to prevent unauthorized parties from observing or recovering passwords.

Systems software should limit validity of initial password(s) to the new user's first session log-on. At first log-on, the user must be required to choose a new password. This same process applies to the resetting of passwords.

All vendor-supplied default passwords must be changed before any computer or communications system is connected to a WCU network or used for WCU business. This policy applies to passwords associated with end user IDs, as well as passwords associated with system administrator and other privileged users.

Incorrect password attempts must be strictly limited to prevent password-guessing attacks. Upon three (3) consecutive, unsuccessful attempts to enter a password, the involved user ID must either be suspended until reset by a system administrator or temporarily disabled for no less than three (3) minutes. Where dial-up or other external network connections are involved, the session must be disconnected.

Whenever there is a convincing reason to believe that system security has been compromised, the involved system administrator must immediately: (a) reassign all relevant passwords, and (b) require all passwords on the involved system to be changed at the time of the next login. If systems software does not provide the latter capability, a broadcast message must be sent to all users instructing them to change their passwords. Office of Information Security should be contacted.

Whenever there is a convincing reason to believe that system security has been compromised, a trusted version of the operating system and all security-related software must be reloaded from trusted storage media, such as CD-ROMs, magnetic tapes, or original source code floppy disks. The involved system(s) must then be rebooted. Similarly, all changes to user privileges that have taken effect since the time of a suspected system compromise must be reviewed immediately by the system administrator for unauthorized modifications. Office of Information Security should be contacted.

Log-In/Log-Off Process

All users must be positively identified prior to being able to use any multi-user computer or communications system resource.

Positive user identification for internal WCU networks involves both a unique user ID and password. The login process for network-connected WCU computer systems must ask the user to log in, providing prompts as needed. Specific information about the organization, the computer operating system, the network configuration, or other internal matters must not be displayed until a user has successfully provided both a valid user ID and a valid password.

Positive identification for dial-up access involves the use of hand-held tokens, cryptographic challenge/response, or other approved extended user authentication techniques. The combination of a user ID and a password does not provide sufficient security for dial-up connections to WCU systems or networks. Therefore, modems attached to network-connected workstations situated in WCU offices are forbidden, unless they are for the dedicated use to send or receive faxes, because they do not provide adequate positive user identification. Modems connected to isolated computers (such as portable computers and home computers) are permissible.

Positive identification for users establishing external, real-time connections into WCU systems or networks via value-added public networks, or any other external communications system, must also involve sophisticated user authentication techniques.

Every login banner on multi-user computers must present a special notice that includes:

1. “The system is to be used only by authorized users.”

2. “By continuing to use the system, the user represents that he/she is an authorized user.”

3. “The user agrees to being monitored by the WCU.”

If there has been no activity on a computer terminal, workstation, or microcomputer for a certain period of time, the system must automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided a valid password. The recommended period of time is not to exceed fifteen minutes. An exception to this policy will be made in those cases where the immediate area surrounding a system is physically secured via cipher locks, secured-room badge readers, or similar technology.

Users are prohibited from logging into any WCU system or network anonymously (for example, by using "guest" user IDs). Users employing systems facilities that allow them to change the active user ID to gain certain privileges, must initially log-in with a user ID that clearly indicates their identity. On UNIX systems, users are prevented from initially logging in as "root," and must log in using their own user ID.

Whatever the operating system, logs must record all such changes of current user IDs. Electronic bulletin boards or other systems where all regular users are anonymous may be a permissible exception to this paragraph.

POLICY NO:  IS-G-1.3
POLICY NAME: Minimum Standards for User IDs & Passwords