Administrative Services

Password Policy

File code: TECH.PASSWORD.POL
Approval Date: 2/23/2009
Revision Dates: 4/13/2010, 1/26/2018
Approved By: President

Definitions

Active Directory refers to Microsoft's Active Directory. Active Directory provides a convenient way for University Technology to authenticate users to workstations, manage workstation functionality and control access to WIU computing resources.

Password is a word or string of characters used to authenticate (prove the identity of) a user to a system. A passphrase is a sequence of words to create a password. Throughout this document these two words may be interchanged. Whenever possible the University should use the word passphrase.

Password Policy

This policy provides password standards intended to maintain control over access to Western Illinois University (WIU) systems and data and enumerates authentication requirements necessary for compliance with regulatory standards and laws. This policy applies to all accounts provisioned on a WIU system and will be reviewed and updated annually.

Section 1: Password Requirements

The following set of password requirements will be implemented on WIU systems that can support the criteria below. All other systems must adhere to the requirements in Section 2.

  1. Passwords must be at least 8 characters long.
  2. Passwords must be allowed to be at least 64 characters long.
  3. All passwords must be checked against a dictionary of commonly-used, expected, or compromised values before being accepted. Examples include but are not limited to:
    1. Passwords compromised in previous password breaches.
    2. Dictionary words.
    3. Repetitive or sequential, e.g. aaaaa or 1234abcd.
    4. Context specific words such as name of service, the username or derivatives thereof.
  4. No password expiration is required unless it has been forgotten, compromised or potentially compromised.
  5. No password hints shall be stored that are accessible to an unauthenticated account.
  6. Passwords will have no composition rules.
  7. All passwords must be hashed, salted and stretched when stored.
  8. Notify users of abnormal behavior, for example:
    1. If a user's account has more than three concurrent logins.
    2. If a user's account has more than 20 bad password attempts within a 24 hour period.

Section 2: Alternative Password Requirements

The following password requirements will be implemented on WIU controlled systems that cannot implement Section 1: Password Requirements:

  1. Maximum password age is one hundred twenty (120) days.
  2. Minimum password age is one (1) day.
  3. Minimum password length is eight (8) characters. Longer passwords or the use of passphrases are recommended.
  4. All passwords must contain each of the following character types:
    • Upper Case Letter(s): A through Z
    • Lower Case Letter(s): a through z
    • Numeral(s): 0 through 9
    • Special Characters, such as !, @, or #
  5. Users will not be able to reuse the ten (10) previous passwords they have used in the past.

Section 3: Password Use

  1. All WIU workstations that are permanently or intermittently connected to the network will use an access control system that follows the password policy.
  2. All users will be uniquely identified. Users are prohibited from logging into any system or network anonymously (Macintosh and Windows guest accounts).
  3. User accounts will be locked after twenty (20) invalid logon attempts (fewer attempts may be permitted on some systems). Accounts will remain locked for thirty (30) minutes or until re-enabled by a system administrator.
  4. All WIU workstations must require re-authentication after 15 minutes of user inactivity. All systems or applications must require re-authentication after a maximum of thirty (30) minutes of user inactivity. This should be set to the shortest amount of time that still allows business functionality. All WIU workstations should be locked requiring re-authentication or shut down when not in use.
  5. Passwords used on WIU workstations, systems or applications must not be:
    • the same password as the account owner uses for other non-WIU access (e.g., personal email, online banking, e-commerce shopping accounts, etc.)
    • shared with anyone, including co-workers, family members, friends, acquaintances or even University technical support staff. All passwords are to be treated as sensitive, confidential information.
    • revealed online, verbally, or in writing, including via telephone, text messages, email, IM, chat rooms, blogs, questionnaires, etc. (not applicable during password resets by technology staff).
    • contain personal information (e.g. name, birthday, phone, address, etc.) or your username as part of your password.

Section 4: WIU System Accounts with Elevated Privileges

The following is only applicable to technical staff with system-level privileges (such as WIU system administrators who manage one or more servers).

  1. System-level account (e.g., root, enable, etc.) requirements:
    • Initial login must be made via an account assigned to the staff member, before using the system level administrative accounts.
    • Minimum passwords length is twelve (12) characters long.
    • Remote access to system level accounts must be disabled (for example: PermitRootLogin set to "no" in sshd config).
    • All other Password Requirements (Section 1) apply.
  2. Administrative accounts with elevated privileges (e.g., Windows domain, Vsphere admin, network admin, etc.) require:
    • An account that clearly and uniquely identifies the user and is not their primary user account.
    • All other Password Requirements (Section 1) apply.
  3. System, service, and application accounts that are used to automatically authenticate must not be used by any individual for any reason but are allowed to have passwords that never expire. These accounts require:
    • Minimum passwords length is sixteen (16) characters long
    • All other Password Requirements (Section 1) apply.
  4. Vendor-supplied and or default passwords must be changed before any computer or communications system is used in production, or hosts any WIU data.
  5. Where SNMP is used, the community strings will be defined as something other than the standard defaults of "public", "private" and "system" and must be different from the passwords used to log in interactively.
  6. Passwords must be changed immediately when individuals with knowledge of elevated account passwords leave the University.

Section 5: Additional Password Requirements for Areas Accepting Credit Cards as Payment

WIU adheres to current Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures.

When PCI DSS requirements and University policy conflict, the most restrictive policy shall apply.

Requirements of WIU's policy are as follows.

  1. Account additions, deletions, and modifications must be managed centrally.
  2. The user's identity must be verified before performing password resets.
  3. First-time passwords must be set to a unique value for each user and will require the password to be changed immediately after the first use. The creation of first-time will not follow a pattern that is guessable by someone who has previously obtained a first-time password.
  4. All users' access shall immediately revoked upon their termination of employment.
  5. Accounts shall be disabled after ninety (90) days of inactivity.
  6. Accounts shall not be shared, generic, or group accounts.
  7. Accounts shall have their corresponding passwords changed every ninety (90) days or less.
  8. All other General Password Requirements (Section 1) and Password Use (Section 2) apply.

Section 6: Supplemental Information

Requests for obtaining a user ID and password must be called into the Support Center (309-298-TECH). The Support Center will then open a ticket and respond to the request.

Any exceptions to this policy must be approved via the University Password Policy Exception Procedure.

Western Illinois University Technology will never ask for your password via email or over the phone. If you receive an email asking for your password delete it immediately as a malicious phishing attempt.