Password Standard

Revised June 18, 2013

Contents

Overview
The Office of Information Technology (OIT) has provided a framework for passwords and account types that are used in the authentication process for university-wide applications. The Password Standard establishes:

  • levels of password security needed for authentication by different account types
  • characteristics of passwords to meet security needs  

[Back to top]

Scope
The Password Standard includes all user credentials for accessing enterprise-level (university-wide) applications and systems, including but not limited to usernames and passwords. In most cases, these applications and systems use campus-wide credential systems (such as Unity) for authentication. This standard may also apply to other enterprise-level systems that use different credentials.  

The Password Standard:

  • may be optionally adopted for unit, departmental and college-level applications and systems
  • is recommended, but not mandatory, for unit-level systems that provide their own credentialing and access control
  • does not necessarily apply to locally-administered systems, e.g., within departments and colleges
  • does not specify requirements for security of system administrator access to systems

[Back to top]

Password Standard Specifications 
NC State University is committed to a secure information technology environment in support of its missions. The assignment of a password level is based on an individual’s security role(s) for a specific user account. A security role requires direct management approval and is not automatically granted based upon the individual's position with the university.

Levels of accounts and associated passwords are defined in this section, based on increasing scope and sensitivity of the data accessed by the account holder.

Levels of Application Security
There are five levels of security defined for categorizing university account types (A1-A5). These levels are assigned based on the sensitivity and scope of access provided to a particular user. User access is addressed in the Data Sensitivity Framework (in development), which includes the sensitivity classifications used below. Characteristics of account types (A1-A5) and assigned levels of security are:

  • A1: Entry-Level Security
    These accounts are used by individuals external to the university and imply no assurance of affiliation or identity verification (e.g., guests, student applicants, job applicants, etc.). Data classification at this level is always at the Standard sensitivity classification.
     
  •  A2: Standard-Level Security
    These accounts provide access to sensitive information only about the individual accessing the account (e.g., email, Web, personal computer, application data access for the logged in user only, etc.). Data classification at this level will be at the Standard or Moderate level. The specific data about the person's accessing the university administrative sytems may be at the Moderate or High sensitivity classification. 

  • A3: Medium-Level Security
    These accounts provide access to sensitive administrative data at the unit or department level (E.g., an individual may be authorized to access data in the Human Resource System, Financials System or Student Information System beyond his/her personal information to include other relevant information in his/her direct unit or department.). Data classification of data at this level is at the Standard, Moderate, High, or Ultra sensitivity classification.
     

  • A4: High-Level Security
    These accounts provide access to sensitive administrative data at the Central Office level, College level or equivalent organizational entity. This security level:
    • includes access to information about others within the same organizational entity. 
    • may grant the ability to approve access to unit level data.
    • may also include access to information at the institutional level. (E.g., central office users and specifically authorized college/division level users may access university-wide information stored in the Human Resource System, Financials System and Student Information System.)

Data classification at this level may be at any of the Standard, Moderate, High, or Ultra sensitivity classification.

  • A5: Rigorous Security
    The accounts are used to control institution-wide applications and databases, systems or application, and database default and implementation options. They include:
    • User accounts used in maintaining production applications such as the Human Resource System, Financials System or Student Information System

Data classification of data in use at this level may be at any of the Standard, Moderate, High, or Ultra sensitivity classification.

[Back to top]

Password Standard Matrix
At this time, there is a one-to-one relationship between the account types and password levels. (Account type A1 is protected by a P1 password level, and Account type A3 is protected by a P3 password level, etc.). This may change in the future, as password characteristics are adjusted, and additional account types are added.

Assigning Attributes to be Verified for Password Levels

AttributeP1P2P3P4P5
Minimum length of password88888
Maximum length of password ****100100100100100
Password is character checked for strength*YesYesYesYesYes
Maximum age of password (in days between changes)365365909030
Days of daily expiration warnings (where available)141414147
Failed attempts before lockout   1010101010
May reset via Self Service Web (when this reset facility becomes available)YesYesNoNoNo
May reset via Help Desk phone with acceptable identity verification (UIA questions)YesYesYesYesNo

Can reset at Help Desk in person **

YesYesYesYes***Yes***
Must read Computer Use Regulation on Self Sservice resetYesYesYesYesYes
Must complete security class and sign Information Security
Acknowledgement form before access is granted to administrative applications.
NoNoYesYesYes
Must require use of two-factor authentication (when capability is implemented)NoNoNoNoNo
Can not be previously used passwordYesYesYesYesYes

Password strength checks verify that the password: *

  • Does not contain the user Unity username
  • Does not contain the user Unity username backwards
  • Does not contain the quote character ’ (Google limitation) 
  • Does contain at least one digit (number)
  • Does contain at least one letter
  • Does not contain a word found in the dictionary with three or more letters
  • Does not have fives consecutive digits, e.g., phone number
  • Be more than a simple case change of your old password. 

Password maximum length is limited to only 32 characters if you need to login to Postini as an adminstrator. ****

The following three strength checks are performed when a password is changed (It is recommended but not mandatory that passwords conform to these checks.):

    • have at least one special keyboard character (not a number or letter)
    • contain at least one capital letter
    • contain at least one lowercase letter

[Back to top]

Password Change
Password expiration of individual passwords should be set to occur only during the University Help Desk business hours - as permitted by authentication systems - in order to provide users with immediate Help Desk support. However, users who have problems logging in during times when the Help Desk is not open will need to seek assistance the next business day. 

  • Some users may have their password reset by calling the University Help Desk and correctly identifying themselves via the User Identification and Authentication (UIA), a secure question and answer survey. The user should complete this survey in advance of the password reset request. 
  • Users can have their passwords reset by appearing in person at the University Help Desk with a photo ID.
  • Users should change password immediately after password reset (onsite at Help Desk is recommended.) ***
  • Where the location is remote to the Help desk, special arrangements will be made to accommodate the user change of password on a timely basis. (User will be asked to provide copies of credentials with picture, signature and full name as a graphic or FAX’ed document.) **
  • Users may be required to read and accept REG 08.00.02 Computer Use Regulation, which describes appropriate use of university information technology resources, before being granted access to university computer systems.
  • Users are required to read and sign the Information Security Acknowledgement Form (ISAF) before being granted access to the Human Resource System, the Financials System, the Student Information System, or other administrative applications and data.

[Back to top]

Governance

  • This Password Standard was developed by the Office of Information Technology IT Policy and Compliance Team. It was sponsored and approved by the Compliance and Policy Working Group of the Security and Compliance Subcommittee of the IT Strategic Advisory Committee (ITSAC), the Campus IT Directors Committee (CITD), and the Vice Chancellor for Information Technology/Chief Information Officer (CIO and VCIT).
  • A team is actively reviewing password standards with respect to the university Identity Management project. The needs of the wider university community and recent research on password entropy will also be taken into consideration.
  • Exceptions and changes to these standards must be approved by the standard sponsors, and written documentation of exceptions and changes will be maintained by the standard sponsors.  

Contact
For questions or comments concerning the Password Standard, contact John Baines, assistant director of IT Policy and Compliance in the OIT Security and Compliance unit, at john_baines@ncsu.edu.