Revised June 18, 2013
- Password Standard Specifications
- Password Change
The Office of Information Technology (OIT) has provided a framework for passwords and account types that are used in the authentication process for university-wide applications. The Password Standard establishes:
- levels of password security needed for authentication by different account types
- characteristics of passwords to meet security needs
The Password Standard includes all user credentials for accessing enterprise-level (university-wide) applications and systems, including but not limited to usernames and passwords. In most cases, these applications and systems use campus-wide credential systems (e.g., Unity) for authentication. This standard may also apply to other enterprise-level systems that use different credentials.
The Password Standard:
- may be optionally adopted for unit, departmental and college-level applications and systems
- is recommended, but not mandatory, for unit-level systems that provide their own credentialing and access control
- does not necessarily apply to locally-administered systems; e.g., within departments and colleges
- does not specify requirements for security of system administrator access to systems
NC State University is committed to a secure information technology environment in support of its missions. The assignment of a password level is based on an individual’s security role(s) for a specific user account. A security role requires direct management approval and is not automatically granted based upon the individual’s position with the university.
Levels of accounts and associated passwords are defined in this section, based on increasing scope and sensitivity of the data accessed by the account holder.
Five levels of security, A1 through A5, are defined for categorizing university account types. These levels are assigned based on the sensitivity and scope of access provided to a particular user. User access is addressed in the Data Sensitivity Framework, which includes the sensitivity classifications used below. Characteristics of account types and assigned levels of security are:
- A1: Entry-Level Security
These accounts are used by individuals external to the university and imply no assurance of affiliation or identity verification; e.g., guests, student applicants, job applicants. Such data are always classified at the Standard sensitivity level.
- A2: Standard-Level Security
These accounts provide access to sensitive information about only the individual accessing the account; e.g., email, web, personal computer, application data access for the logged in user only. Such data will be classified at the Standard or Moderate sensitivity level. The specific data about the person’s accessing the university administrative systems may be classified at the Moderate or High sensitivity level.
- A3: Medium-Level Security
These accounts provide access to sensitive administrative data at the unit or department level. For example, an individual may be authorized to access data in the Human Resource System, Financials System or Student Information System beyond his/her personal information, to include other relevant information in his/her direct unit or department. Such data is classified at the Standard, Moderate, High, or Ultra sensitivity level.
- A4: High-Level Security
These accounts provide access to sensitive administrative data at the level of a central office, college or equivalent organizational unit. This security level:
- includes access to information about others within the same organizational unit.
- may grant the ability to approve access to unit level data.
- may also include access to information at the institutional level. For example, central office users and specifically authorized college/division level users may access university-wide information stored in the Human Resource System, Financials System and Student Information System.
Data at this level may be classified as having Standard, Moderate, High, or Ultra sensitivity.
- A5: Rigorous Security
The accounts are used to control institution-wide applications and databases, systems or application, and database default and implementation options. They include user accounts used in maintaining production applications such as the Human Resource System, Financials System or Student Information System
Data at this level may be classified as having Standard, Moderate, High, or Ultra sensitivity.
Password Standard Matrix
At this time, there is a one-to-one relationship between the account types and password levels. For example, Account type A1 is protected by a P1 level password, and Account type A3 is protected by a P3 level password level. This may change in the future as password characteristics are adjusted and additional account types are added.
|Assigning Attributes to be Verified for Password Levels|
|Minimum length of password||8||8||8||8||8|
|Maximum length of password ****||100||100||100||100||100|
|Password is character checked for strength*||Yes||Yes||Yes||Yes||Yes|
|Maximum age of password (in days between changes)||365||365||90||90||30|
|Days of daily expiration warnings (where available)||14||14||14||14||7|
|Failed attempts before lockout||10||10||10||10||10|
|May reset via Self Service Web (when this reset facility becomes available)||Yes||Yes||No||No||No|
|May reset via Help Desk phone with acceptable identity verification (UIA questions)||Yes||Yes||Yes||Yes||No|
|Can reset at Help Desk in person **||Yes||Yes||Yes||Yes***||Yes***|
|Must read Computer Use Regulation on Self Service reset||Yes||Yes||Yes||Yes||Yes|
|Must complete security class and sign Information Security Acknowledgement form before access is granted to administrative applications.||No||No||Yes||Yes||Yes|
|Must require use of two-factor authentication (when capability is implemented)||No||No||No||No||No|
|Cannot be a previously used password||Yes||Yes||Yes||Yes||Yes|
Password strength checks verify that the password: *
- Does not contain the user Unity username
- Does not contain the user Unity username backwards
- Does not contain the single quote character ( ’), a Google limitation
- Does contain at least one digit (number)
- Does contain at least one letter
- Does not contain a word found in the dictionary with three or more letters
- Does not have five consecutive digits; e.g., phone number
- Is more than a simple case change of your old password.
Password maximum length is limited to 32 characters if you need to login to Postini as an adminstrator. ****
The following three recommended but not mandatory strength checks are performed when a password is changed:
- contain at least one special keyboard character (not a number or letter)
- contain at least one capital letter
- contain at least one lowercase letter
Expiration of individual passwords should be set to occur only during the university Help Desk business hours – as permitted by authentication systems – in order to provide users with immediate Help Desk support. However, users who have problems logging in during times when the Help Desk is not open will need to seek assistance the next business day.
- Some users may have their password reset by calling the university Help Desk and correctly identifying themselves via the User Identification and Authentication (UIA), a secure question and answer survey. The user should complete this survey in advance of the password reset request.
- Users can have their passwords reset by appearing in person at the university Help Desk with a photo ID.
- Users should change password immediately after password reset (onsite at the Help Desk is recommended.) ***
- Where the location is remote to the Help Desk, special arrangements will be made to accommodate the user change of password on a timely basis. User will be asked to provide copies of credentials with picture, signature and full name as a graphic or FAXed document. **
- Users may be required to read and accept REG 08.00.02 Computer Use Regulation, which describes appropriate use of university information technology resources, before being granted access to university computer systems.
- Users are required to read and sign the Information Security Acknowledgement Form (ISAF) via MyPack Portal before being granted access to the Human Resource System, the Financials System, the Student Information System, or other administrative applications and data. To access the Information Security Acknowledgement Form (ISAF) via the Portal, log in with your Unity ID and password, then navigate to Main Menu > Employee Self Service > Personal Information > ISA Form.
- This Password Standard was developed by the Office of Information Technology IT Policy and Compliance Team. It was sponsored and approved by the Compliance and Policy Working Group of the Security and Compliance Subcommittee of the IT Strategic Advisory Committee (ITSAC), the Campus IT Directors Committee (CITD), and the Vice Chancellor for Information Technology/Chief Information Officer (CIO and VCIT).
- A team is actively reviewing password standards with respect to the university Identity Management project. The needs of the wider university community and recent research on password entropy will also be taken into consideration.
- Exceptions and changes to these standards must be approved by the standard sponsors, and written documentation of exceptions and changes will be maintained by the standard sponsors.
For questions or comments concerning the Password Standard, contact Leo Howell, assistant director of IT Policy and Compliance in the OIT Security and Compliance unit, at firstname.lastname@example.org.
[Back to top]