Password Policy

This Policy has been compiled to define the base level Password requirements for use within Dublin City University (DCU). The policy demonstrates DCU’s commitment to information security and its proactive approach for addressing risks within the campus.

One of the vital components for an organisation to operate a secure and controlled information systems environment is the deployment of approved security mechanisms that support its security services (identification and authentication, access control, data integrity and confidentiality). One of the key mechanisms is the definition and implementation of a uniform Password Policy throughout the organisation. Any deviation from the Password Policy defined herein, will require prior written approval of the Director of Information Systems Services (ISS).

The Password Policy applies to all accounts used to access DCU ICT resources. The Password Requirements defined in this document apply to all systems that have the facilities to cater for them. Where systems do not have the facilities to cater for the Password Requirements then alternative requirements, on a case by case basis, can be implemented with the prior approval of the Director of Information Systems Services.

Whereas this Password Policy document is owned by the University, it will be maintained by the Director of Information Systems Services in consultation with the IS Governance Committee and other relevant areas within DCU.

The custodians of individual systems, servers, workstations, desktops and other devices are responsible for the enforcement of the Password Policy.

Minimum Password Length

Passwords should be easy to remember but hard to guess, so passphrases should be used instead of traditional passwords. The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least fourteen

(14) characters.

Passwords Must Not Be Reused

Users must not construct passwords, which are identical or substantially similar to passwords that they had previously employed. On all multi- user machines, system software or locally developed software must be used to maintain an encrypted history of previous fixed passwords. This history file must be employed to prevent users from reusing fixed passwords. The history file must minimally contain the last four (4) passwords for each user-ID.

Password Expiration

Password expiration should be enforced on all accounts. The expiration period for user passwords should be set to 12 months after which the user should be forced to change the password before any other work can be performed.

Consecutive Unsuccessful Login Attempts

To   prevent password guessing attacks, the     number  of consecutive attempts to enter an incorrect password must be strictly limited. After five

(5) unsuccessful login attempts, the account must be locked for at least one hour or until it is reset by a system administrator.

Difficult-To-Guess Passwords

All user-chosen passwords for computers and networks must be difficult to guess. Derivatives of user-IDs, and common character sequences such as "123456" must not be employed. Likewise, personal details such as spouse's name, vehicle license plate, PPS or social security number and birthday must not be used unless accompanied by additional unrelated characters.

Cyclical Passwords

Users are prohibited from constructing fixed passwords by combining a set of characters that do not change, with a set of characters that predictably change. In these prohibited passwords, characters that change are typically based on the month, a department, a project, or some other easily-guessed factor. For example, users must not employ passwords like "X34JAN" in January, "X34FEB" in February, etc.

System-Generated Passwords

If system-generated passwords are used, they must be generated using the low order bits of system clock time or some other frequently changing unpredictable source.

Storage of System-Generated Passwords

If passwords or Personal Identification Numbers (PINs) are generated by a computer system, they must always be issued immediately after they are generated. Regardless of the form they take, un-issued passwords and PINs must never be stored on the involved computer systems.

Assignment of Expired Passwords

The initial passwords issued by a security administrator must be valid only for the involved user's first on-line session. At that time, the user must be forced to choose another password before any other work can be performed.

Password-Based Boot Protection

All workstations, no matter where they are located, must use an access control system approved by the ISS. In most cases, this will involve screen-savers with fixed-password-based boot protection along with a time-out-after-no-activity feature.

Display and Printing of Passwords

The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. This includes, and is not limited to, passwords written on a piece of paper, where the paper might or might not be stored in a secure (under the keyboard, inside a drawer, in purse or wallet, etc.) location.

Protection of Passwords Sent Through the Mail

If sent by regular mail, e-mail or similar physical distribution systems, passwords must be sent separately from user-IDs. These mailings must have no markings indicating the nature of the enclosure. Passwords must also be concealed inside an opaque envelope that will readily reveal tampering.

Encryption of Passwords

Passwords must always be encrypted (non-clear text) when held in storage for any period of time (backup media, batch files, automatic log- in scripts, software macros, etc.) or when transmitted over networks. This will prevent them from being disclosed to wire-tapers, technical staff who are reading systems logs, and other unauthorised parties. Passwords assigned by an administrator for a particular account (initial account creation, or password resets for existing accounts) and systems used for account management are excluded from this specific requirement.

Prevention of Password Retrieval

Computer and communication systems must be designed, tested, and controlled so as to prevent both the retrieval of, and unauthorised use of stored passwords, whether the passwords appear in encrypted or unencrypted form.

Incorporation of Passwords into Software

To allow passwords to be changed when needed, passwords should not be hard-coded (incorporated) into software developed or modified by DCU employees or third parties.

System Access Control with Individualized Passwords

Computer and communication system access control must be achieved via passwords, which are unique to each individual user. Access control to files, databases, computers, and other system resources via shared passwords (also called lockwords) is prohibited, unless permission is obtained from the Director of Information Systems Services who will consult with relevant members of staff.

Passwords for each internal/external Network Device

All DCU network devices (routers, firewalls, access control servers, etc.) should  have  passwords  or  other  access  control  mechanisms.  A compromise in the security of one device, will therefore not automatically lead to a compromise in other devices.

Changing Vendor Default Passwords

All vendor-supplied default passwords must be changed before any computer or communications system is used for DCU business operations.

Suspected Disclosure Forces Password Changes

All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorised parties.

Password Sharing Prohibition

Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorised user. To do so exposes the authorised user to responsibility for the actions that the other party takes with the password.

Password for personal use only

Users are responsible for all activity performed with their personal user- IDs. User-IDs may not be utilised by anyone but the individuals to whom they have been issued.

Users must not allow others to perform any activity with their user-IDs. Similarly, users are forbidden from performing any activity with IDs belonging to other users (excepting anonymous user-IDs like "guest").

Disclosure of incorrect log-in information

When logging into a DCU computer or data communications system, if any part of the log-in sequence is incorrect, the user must not be given specific feedback indicating the source of the problem. Instead, the user must simply be informed that the entire login process was incorrect.

Users should be familiar and comply with the following related documents;

1. Remote Access Policy
2. Network Connectivity Policy
3. Mobile Computing Policy
4. ICT Security Policy

For further details on any aspect of this policy, please contact: Director, Information Systems Services Tel: 01-7008496