SEC-GDL-003 University Account Passwords

Introduction

These guidelines support the University’s Information Security Policy Set and provide assistance into why passwords need to meet the complexity that we require.

Why do we need passwords?

The University has internal systems which records confidential data regarding its staff and students.  For example, emergency contact details, home address etc.

The University provides staff and students access to a wealth of informational resources that cost a significant amount of money to subscribe to.

The University plays a major part in worldwide research projects.  The information stored and produced may be confidential or sensitive in nature and needs protecting until it is ready to be published.

The information that is categorised as being Standard (not available to the public) or Restricted (only available to named users) can be protected in a number of ways, but presently this is performed by the use of an Active Directory (computing account) and an associated password to verify that the user is who they say they are.

Are there any alternatives to passwords?

Yes there are, but unfortunately we are not able to implement a solution that provides two factor authentication (something you have and something you are or something you know) at this time, for example the use of a one-time token and a finger print.

Biometrics

Many mobile devices now have the ability to use biometric functions to log you in, for example the university (Toshiba) laptops all have the ability for users to log in with user defined finger prints; in effect it is substituting the provided password in the background if the finger print matches.  This is still a marked improvement on the typing in of a password multiple times a day.  This is not an approved University solution at this time and if you choose to use it to log on to your own computer, you do so at your own risk.

The installation of finger print, or smart card readers on all University computing equipment, for example, to sit alongside open access devices would provide a substantial cost to implement; rest assured, the University will continue to provide the most suitable and secured solution for its end users when any change is available.

Why are passwords so complex?

The University is a prime target for Phishing attacks, these are instigated with the intention of acquiring a users’ account login and password for malicious use; in addition to this, the account details may be published online for subsequent use.  Further information about how to identify a phishing email is available in the SEC-GDL-005-Anatomy of a Phishing Email document.  If users’ don’t respond to a phishing email, then there are a number of other methods that a malicious user can undertake in order to break the password of an authorised user.  These methods include using the most common passwords disclosed on the Internet or to use a dictionary attack.  This involves a known set of words and repeated loops through the list attempting to use this to access systems coupled with the login ID of the user.

Security audits are carried out periodically and they advise best industry practice surrounding various measures.  Using a combination of upper and lower case letters, numbers and also special characters significantly lengthens the amount of time that is required for a computer to produce the right combination to crack a users’ password.

Why can’t I re-use a password that I’ve used before?

Due to the phishing attacks and the publishing of details on the Internet, if a user where to change their password every six months and after eighteen months can change the password back to its original form, it may still be presented on a web page.  This then provides malicious users instant access to try and use these credentials to access your account once more and propagate further attacks or carry out other actions without your knowledge.

Password guidance

Here are ten top tips for creating a really secure password:

1.         Don’t duplicate passwords

If your university account were to be compromised, it wouldn’t take much to try that password against online banking (or commercial) sites – which may provide a more substantial reward to the malicious user

2.         Do not use a password that you have found online

If it is published online, it can easily be incorporated into a malicious software program to try a brute force attack to compromise further accounts

3.         Do not use a password that can be easily guessed from Social Media sites

The use of dates of birth, family or pet names should be avoided, consider who can access, that may be publically accessible that you may have posted on Facebook, LinkedIn, Twitter etc.

4.         Don’t use anything personal that can be attributed to you

This is an extension of number three, whether you have published it on social media, someone can still overhear a nickname that you are called, can still see you getting into a car with an associated license plate or easily find your address through online sites.

5.         Do not give out your password over the phone

Be sceptical if you get a call asking for a password.  The University won’t need to log into resources as yourself and if there is a problem with your account, it will be easier to create a new password on your behalf, for you to alter after the call.

6.         Never share your password

An extension of number five, even with close colleagues, friends or family, you should never disclose your password to another user.  They could write it down or make a note of it – if their account were to subsequently be compromised – your account could be too.

7.         Avoid using keyboard sequences

For example, qwerty, 12345 and asd are some examples that a lot of people will use in their password – because it is easier to remember patterns than complicated passwords.

8.         Consider using a passphrase

An extension of number seven, passphrases can use a memorable quote from a film, a book, a song or something similar.  For example, “Some people feel the rain, while others get wet” could become “Spftr,w0gW”.  This is a non-dictionary word and contains the complexity to meet most requirements, including a length of greater than eight characters.

9.         Consider using a few words, with character substitutions

While this may not be the most secure way of creating a password, it adds a layer of complexity that can still be scripted in a computer program but on the whole it may deter some malicious users.  For example, “I like cheese sandwiches” could become “1lIkech33s3s@wich3s”.  Please note, this is becoming less secure as numeric substitutions are being included in password cracking algorithms now.

10.     Consider using a password manager

There are plenty of password managers out there, that come in either free or low priced options.  The idea behind the application is that you only have to remember one really strong password (as it is protecting the keys to the rest of your kingdom).  The applications may often allow you to create really complicated passwords – you won’t need to remember.

University password requirements

In order to remind you of the current complexity requirements surrounding passwords these are:
Length Between 9 and 16 characters Lowercase At least 1 lowercase character (a-z)
   
Numeric At least 1 numeric character (0-9) Uppercase At least 1 uppercase character (A-Z)
   
Special At least one of twelve approved special characters ( _ $ % ! – ‘ . ^ ( ) { } )

Finally, don’t use any password in this document – as it is published online.

 

Author: Paul Ferrier Date: 30/10/2014 Version: 0.92
Document Security Level: PUBLIC
Document Approvals: Technical Architecture Group

Enterprise Architecture Practice

Enterprise Architecture Board

12/08/2014

August 2014

22/09/2014

Review Date: November 2015

Leave a Reply

Your email address will not be published. Required fields are marked *