All University electronic resources require some form of authentication and/or authorisation to protect against misuse either by malicious intent or by accident and to conform to copyright, licensing and privacy regulations.

The term password is used as generic term to indicate a challenge response known only by an individual or restricted set of individuals as proof of being authorised to access a particular resource.

Passwords are one form of user authentication that can provide a level of security to electronic resources.

Passwords are generated for either a single access or for multiple use by an authorised individual to a specific resource or service.

A password may be a PIN (Personal Identification Number) or a passphrase made from a series of keyboard characters.

User passwords are passwords for use by an individual to obtain access as an individual.

Group passwords are for use by a restricted group of individuals to access a resource only when the system does not allow a password to be issued to each individual. Unless otherwise stated group passwords are to be treated as if they were user passwords.

Administrative passwords are custodial passwords used for the administration of a computer system or service.

Procedures

University Responsibilities

The University, through the Division of Information and the IT Security Officer is responsible for:

• Educating users on the appropriate use of passwords.
• Ensuring centrally managed systems are configured to enforce password controls where available and comply with this policy.
• Periodically checking the integrity of passwords on all centrally managed systems
• Conducting periodic audits of areas to ensure compliance.

User Responsibilities

Deans, Directors of Schools and Heads of Departments are responsible for:

• Setting guidelines for account creation and removal from locally administered computing resources.
• Ensuring System Administrators, IT Managers and Local IT Support staff manage computer systems to comply with this policy.

System Administrators, IT Managers and Local IT Support staff are responsible for:

• Educating local users on the appropriate use of passwords.
• Configuring systems to enforce compliance with this policy.
• Ensuring administrative passwords are maintained in accordance with this policy.

Authorised users are responsible for ensuring they manage and choose passwords in accordance with this policy.

Password Policy Standards

1. Initial Password Generation

All initial passwords must be generated randomly.

User passwords must not be retained by administrative staff and may only be used by the intended user.

When issued with a new password users must change the issued password immediately following the first logon.

User accounts not utilized within the set time frame of a password issue must be disabled in accordance with this policy.

2. Unique passwords

User should not synchronise passwords across disparate systems where the accepted level of security on those systems varies.

System administrators should only synchronise user passwords, through single sign on systems or via host trust relationships, where those systems meet shared minimum accepted levels of security and account management procedures.

User accounts that have system-level privileges granted through group memberships or similar associations should have a unique password from all other accounts held by that user.

Additionally, system administrators must ensure unique administrative passwords across systems and services under their direct control.

3. Storage of Passwords

User passwords must only be recorded upon initial generation. Only one copy may be made and this is to be provided directly to the owner of the password. With the exception of mailing list management, passwords must not be sent by electronic mail.

Users must commit their passwords to memory.

Storing of passwords or password equivalents for use by an application is not recommended but is acceptable provided that the computer system is appropriately secured and only the authorised user can access that application.

Where possible passwords on computer systems must be stored in a hashed/encrypted fashion and must only be transmitted over open networks in an encrypted format.

Administrative passwords must be stored in a secure location with audited, restricted access.

4. Frequency of Password Updates

User passwords must be changed in accordance with the published account management guidelines for the system/service that they are accessing.

Group passwords should be changed whenever a member of the group leaves the group or at least as often as a user password.

All administrative passwords and passwords for accounts with system-level privileges must be changed more frequently than passwords for non-privileged accounts.

Passwords believed to have been compromised must be changed immediately and the matter must be reported to a staff members supervisor in accordance with IT Security Policy.

5. Confidentiality of Passwords

User passwords must not be disclosed to anyone other the password owner under any circumstances. This includes sharing user passwords with supervisors or colleagues.

Users are to note that technical staff should never ask for passwords to be provided to them. In the event that this does occur, the matter should be reported to IT Security.

Group passwords must only be disclosed to individuals who have been authorised to access a particular electronic resource or service as part of that group.

Administrative passwords should be managed to ensure appropriate confidentiality.

6. Password Resets

Requests for user password resets will require suitable proof of identity being obtained and confirmed before being actioned. Suitable proof of identity for password resets may include:

• A photo ID
• Department or supervisor identification
• Satisfactory challenge-responses in an institutionally approved challenge-response self-service application.

All password resets must generate an auditable log indicating at a minimum the date, time, account name and who affected the reset.

Password resets must additionally conform to the same controls as set out for initial password generation (section 3.1).

7. Password Management controls

Where the system permits, passwords will meet the account management guidelines as a minimum standard.

Systems which require more stringent password management controls will publish those guidelines to users of that system directly at the time the account is issued and on at least an annual basis.

Breaches of the Policy

Breaches of the password policy will be classified as a breach of the Universitys IT Security policy and will managed accordingly.

Reference Documents

The following documents are related to this policy and should be read in conjunction with this policy to provide clarification and direction.

• Password selection and Protection guidelines
• Account management guidelines

The password selection and account management guidelines are subject to regular review and amendments as approved by the Information Infrastructure Security Coordination Group.

First release 2004