University Policies

Password Policy

Approved by: President
Effective Date: June 26, 2023

POLICY STATEMENT

The purpose of this policy is to provide password standards intended to maintain control over access to Western Illinois University (WIU) systems and data and enumerate authentication requirements necessary for compliance with regulatory standards and laws. This policy applies to all accounts provisioned on a WIU system.

SCOPE (WHO SHOULD READ THIS POLICY)

WIU Password Policy applies to any individual who has access to WIU data. The scope of the policy applies to all systems/data owned by WIU, whether it is hosted on premises or third-party hosted.

DEFINITIONS

  • Active Directory: Microsoft’s Active Directory provides a convenient way for University Technology to authenticate users to workstations, manage workstation functionality and control access to WIU computing resources.
  • Hashed: Hashing is the process of transforming any given key or a string of characters into another value. This is usually represented by a shorter, fixed-length value or key that represents and makes it easier to find or employ the original string. The result is known as a hash.
  • Passphrase: A sequence of words to create a password. Throughout this document password and passphrase may be used interchangeably.
  • Password: A word or string of characters used to authenticate (prove the identity of) a user to a system. Throughout this document password and passphrase may be used interchangeably.
  • Salted: Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them.
  • Stretching: One way to use a stronger type of encryption using a weak key is to send it through multiple processes. For example, you may first hash a password, then hash the hash of the password, then hash the hash of the password hash, and so on. This multi-process strengthening is called key stretching or key strengthening.

POLICY

Section 1: Password Requirements

The following set of password requirements will be implemented on WIU systems that can support the criteria below. All other systems must adhere to the requirements in Section 2.

  1. Passwords must be at least 12 characters long.
  2. Passwords must be allowed to be at least 64 characters long.
  3. All passwords must be checked against a dictionary of commonly-used, expected, or compromised values before being accepted. Examples include but are not limited to:
    1. Password compromised in previous password breaches.
    2. Dictionary words.
    3. Repetitive or sequential, e.g. aaaaa or 1234abcd.
    4. Context specific words such as name of service, the username or derivatives thereof.
  4. No password expiration is required unless it has been forgotten, compromised or potentially compromised.
  5. No password hints shall be stored that are accessible to an unauthenticated account.
  6. Passwords will have no composition rules.
  7. All passwords must be hashed, salted and stretched when stored.
  8. Notify users of abnormal behavior, for example:
    1. If a user’s account has more than three concurrent logins.
    2. If a user’s account has more than 5 bad password attempts within a 24 hour period.
Section 2: Alternative Password Requirements

The following password requirements must be implemented on WIU controlled systems that cannot implement Section 1: Password Requirements.

  1. Maximum password age is one hundred twenty (120) days.
  2. Minimum password age is one (1) day.
  3. Minimum password length is eight (8) characters. Passphrases are always recommended/preferred.
  4. All passwords must contain each of the following character types:
    1. Upper case letter(s): A - Z
    2. Lower case letter(s): a - z
    3. Number(s): 0-9
    4. Special characters
  5. Users will not be able to reuse the ten (10) previous passwords they have used in the past. 
Section 3: Password Use
  1. All WIU workstations that are permanently or intermittently connected to the network will use an access control system that follows the password policy.
  2. All users will be uniquely identified. Users are prohibited from logging into any system or network anonymously (e.g. Macintosh and Windows guest accounts).
  3. User accounts will be locked after twenty (20) invalid logon attempts (fewer attempts may be permitted on some systems). Accounts will remain locked for thirty (30) minutes or until re-enabled by a system administrator.
  4. All WIU workstations should require re-authentication after 15 minutes of user inactivity. All systems or applications must require re-authentication after a maximum of thirty (30) minutes of user inactivity. This should be set to the shortest amount of time that still allows business functionality. All WIU workstations should be locked requiring re-authentication or shut down when not in use.
  5. Passwords are classified as sensitive, confidential information.
  6. Passwords used on WIU workstations, systems or applications must not be:
    1. The same password the account owner uses for other non-WIU access (e.g. personal email, online banking, e-commerce shopping accounts, etc.)
    2. Shared with anyone, including co-workers, family members, friends, acquaintances or even university technical support staff in any format (e.g. online, verbally, in writing via text message, email, IM, chats, etc).
    3.  Contain personal information (e.g. name, birthday, phone, address, etc.) or your username as part of your password.
Section 4: WIU System Accounts with Elevated Privileges

The following is only applicable to accounts with elevated  privileges (such as those used by system administrators who manage one or more servers).

  1. System-level account (e.g., root, enable, etc.) requirements:
    1. Initial login must be made via an account assigned to the staff member, before using the system level administrative accounts.
    2. Minimum password length is twelve (12) characters long.
    3. Remote access to system level accounts must be disabled (i.e. PermitRootLogin set to “no” in sshd config).
    4. All other password requirements in section 1 apply.
  2. Administrative accounts with elevated privileges (e.g., windows domain, Vsphere admin, network admin, etc.) require:
    1. An account that clearly and uniquely identifies the user and is not their primary user account.
    2. All other password requirements in section 1 apply.
  3. System, service, and application accounts that are used to automatically authenticate must not be used by an individual for any reason but are allowed to have passwords that never expire. These accounts require:
    1. Minimum password length of sixteen (16) characters.
    2. All other password requirements in section 1 apply.
  4. Vendor-supplied and or default passwords must be changed before any computer or communication system is used in production, or hosts any WIU data.
  5. Where SNMP is used, the community strings will be defined as something other than the standard defaults of “public,” “private,” and “system” and must be different from the password used to log in interactively.
  6. Passwords must be changed immediately when individuals with knowledge of elevated account passwords leave the university.
Section 5: Additional Password Requirements for Areas Accepting Credit Cards as Payments

WIU adheres to Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures. When PCI DSS requirements and university policy conflict, the most restrictive policy shall apply.

Requirements of WIU’s policy are as follows:

  1. Account additions, deletions, and modifications must be managed centrally.
  2. The user’s identity must be verified before performing password resets.
  3. First-time passwords must be set to a unique value for each user and will require the password to be changed immediately after the first use. The creation of first-time will not follow a pattern that is guessable by someone who has previously obtained a first-time password.
  4. All users’ access shall immediately be revoked upon their termination of employment.
  5. Accounts shall be disabled after ninety (90) days of inactivity.
  6. Accounts shall not be shared, generic, or group accounts.
  7. Accounts shall have their corresponding passwords changed every ninety (90) days or less.
  8. All other general password requirements (section 1) and password use (section 2) apply.

RESPONSIBILITIES (Implementation and Enforcement)

University Technology is responsible for, implementing, enforcing, updating and maintaining this policy.

RESOURCES