Passwords are the primary means of authenticating user access to ANU information services and systems. This procedure establishes the minimum standards for University system passwords and/or passphrases.
Definitions of terms used in this document are provided in the overarching Policy (Information Technology Security Policy).
- ANU is committed to ensuring appropriate security for all information technology, data, equipment, and processes within its domain of ownership and control.
- The University provides access to:
- all authorised users within the University community
- all network connecting devices authorised for connection, and that have been allocated an IP address within the University's IP Address range.
- Suspected or known security incidents must be reported to University Cyber and Digital Security and remediation is coordinated from that office.
- The University is responsible for:
- providing and maintaining authorised users with access
- suspending an authorised user's network access for breaches of policy, resulting from penalties or disciplinary action imposed under the Information Infrastructure and Services Rules 2014
- University responsibilities under this procedure vest in Information technology Services.
- All information infrastructure systems must have an owner. A system owner is defined as the nominated position that has responsibility for the security of the data and application component of an information asset, and is accountable for those aspects of an information system. System owners should be a Service Division Director or in an equivalent management position.
- System owners are responsible for:
- ensuring authorised users acknowledge and abide by all relevant ANU policies and related documents
- ensuring users are provided with adequate training and support on the use of information infrastructure and the security of information assets
- identifying and managing disaster recovery and business continuity requirements within their area
- ensure that risk management, including risk assessment and mitigation, and change management processes, are undertaken with respect to the information technology within their area.
- Authorised Users are responsible for:
- observing and complying with all relevant policies, laws, regulations, and contractual obligations
- complying with security and password requirements set out in the Password Procedure
- maintaining an appropriate level of awareness and compliance with all relevant ANU policies.
- Passwords are the primary means of authenticating user access to ANU information services and systems. Passwords are selected and protected in a manner that maximises their effectiveness in protecting University information assets.
- Standard users are those users who do not have privileged (elevated) access to University systems.
- The use of the term password(s) in this document also includes passphrases(s).
- Standard user passwords must meet the following requirements:
- Passwords must be minimum of eight  characters
- Passwords must include at least one character from each of at least three of the following groups: lowercase characters (a - z); uppercase characters (A – Z); digits (0 - 9); and punctuation and special characters.
- Passwords must not contain: the account name in any form (as-is, reversed, capitalised, doubled, etc.); the user’s first or last name in any form; the name of a person, pet, place, or inanimate object; simple patterns of letters on keyboards; words related to the University or work project; license plate numbers; date of birth; telephone numbers; or address details.
- Passwords used for University systems should not be reused for other systems or services.
- Privileged access or elevated access user passwords must meet the requirements for standard user passwords, and must include the following additional requirements:
- passwords must be randomly generated
- must be longer than standard user passwords
- administrative passwords must be managed to ensure appropriate confidentiality
- privileged access and elevated access user passwords must be changed every 40 (forty) days.
Initial and reset password generation
- All initial and reset passwords must be generated randomly.
- When issued with a new password, users must change the issued password immediately following the first use.
- User passwords must be changed in accordance with the published account management guidelines for the system/service that they are accessing.
- Systems which require more stringent password management controls will publish those guidelines to users of that system directly at the time the account is issued and at least on an annual basis.
- User accounts not utilised within the set time frame of a password issue must be disabled in accordance with this procedure.
- Requests for user password resets will require suitable proof of identity before being actioned. Suitable proof of identity for password resets may include:
- Photo ID
- Department of supervisor identification
- Satisfactory challenge-responses in an institutionally approved challenge-response self-service application.
- All password resets must generate an auditable log indicating at a minimum the date, time, account name, and who conducted the reset.
- Password resets must additionally conform to the same controls as set out for initial password generation.
- Users must not synchronise passwords across systems where the accepted level of security on those systems varies.
- System administrators must only synchronise user passwords (through single sign on systems or via host trust relationships) where those systems meet shared minimum accepted levels of security and account management procedures.
Storage of passwords
- User passwords must only be recorded upon initial generation. Only one copy may be made and this is to be provided directly to the owner of the password. With the exception of mailing list management (such as lists generated via Mailman), passwords must not be sent unencrypted by electronic mail.
- Users must not store their passwords in plain text.
- Passwords on computer systems must be stored in a hashed and salted/encrypted fashion and must be encrypted before sending via open networks.
- Passwords must be stored in a secure location with audited, restricted access.
Confidentiality of passwords
- User passwords must not be disclosed to anyone other the password owner under any circumstances.
- Group passwords must only be disclosed to individuals who have been authorised to access a particular electronic resource or service as part of that group. Group passwords must be changed whenever a member of the group leaves the group or at least as often as a user password.
- Passwords believed to have been compromised must be changed immediately and the matter must be reported to the staff member's supervisor and IT Security, in accordance with the Information Technology Security Policy.