Policy Owner: Senior Sys-Admin
No employee password should be used for more than 365 days. When a password has reached this age, it must be discarded and replaced by a new one. This affects workstations, workspace logins, wiki logins, etc. This policy is in place to align ourselves with the UK's Cyber Security Protocols.
Passwords must be complex. Pass-phrases -- passwords made up of several words -- are recommended.
If you can setup two-factor-authentication (e.g. where a code is sent to your phone as part of the login) -- do so!
The requirements are based on password length:
- 8-11: mixed case letters, numbers, & symbols
- 12-15: mixed case letters & numbers
- 16-19: mixed case letters
- 20+: no restrictions
Passwords must only use ASCII characters (no unicode).
Passwords must not:
- Be based on obvious facts which an attacker could learn about you, such as your name, your DOB, your child's name, etc.
- Be reused -- each system should have a separate password.
- Be a single word that appears in the dictionary (English or non-English), even with some letters changed into symbols.
If you have trouble remembering a longer password, write it down on a piece of paper, put the paper in your wallet, and use the same caution with it as you would with a credit card.
The use of secure password managers is allowed -- KeePass2 or LastPass are recommended. If you use a password manager, you must be extra careful with the master password, and you must setup a form of 2-factor authentication.
A pass phrase is basically just a series of words, which can include spaces, that you employ instead of a single pass "word." Pass phrases should be at least 16 to 25 characters in length (spaces count as characters), but no less. Longer is better because, though pass phrases look simple, the increased length provides so many possible permutations that a standard password-cracking program will not be effective. It is always a good thing to disguise that simplicity by throwing in elements of weirdness, nonsense, or randomness. Here, for example, are a couple pass phrase candidates:
pizza with crispy spaniels mangled persimmon therapy
Toss in some punctuation, capitals, and some deliberately misspelled words, and you'll create an almost unguessable key to your account -- but which is still easy for you to remember:
Pizza, w 6 krispy Spaniels! Mangled persimmon Th3rapy?
Reference: Stanford University Password Policy, http://itservices.stanford.edu/service/accounts/passwords
Email security is vital, because most password reminder/reset services work via email. Hence if an attacker gains access to your email, they can attack many other systems.
When using sensitive systems: log-out when done, or if leaving the system unattended.
Several systems are protected by SSH key instead of passwords.
- Do not keep a copy of your SSH key on removable media (e.g. a pen drive).
- Do not allow anyone else to use your SSH key.
If you have any suspicion that a password or SSH key has become compromised: notify support, and change the password.