Password Standard

Revised July 31, 2018

Contents

Overview

The Office of Information Technology (OIT) has provided a framework for passwords and account types used in the authentication process for university-wide applications. The Password Standard establishes:

  • Levels of password security required for authentication by varying account types
  • Characteristics of passwords required to comply with security standards

[Back to Contents]

Scope

The Password Standard includes all user credentials for accessing university-wide applications and systems, including but not limited to usernames and passwords. In most cases, these applications and systems use campus-wide credential systems (for example, Unity) for authentication. This standard may also apply to other enterprise-level systems that use different credentials.

The Password Standard:

  • May be adopted optionally for unit, department, and college-level applications and systems
  • Is recommended, but not mandatory, for unit-level systems that provide their own credentialing and access control
  • Does not necessarily apply to locally administered systems; for example, within departments and colleges
  • Does not specify requirements for security of system administrator access to systems

[Back to Contents]

Password Standard Specifications

NC State University is committed to a secure information technology environment in support of its missions. The assignment of a password level is based on an individual’s security role(s) for a specific user account. A security role requires direct management approval and is not automatically granted based upon the individual’s position within the university.

Levels of accounts and associated passwords are defined in this section, based on increasing scope and sensitivity of the data accessed by the account holder.

Levels of Application Security

Five levels of security, A1 through A5, are defined for categorizing university account types. These levels are assigned based on the sensitivity and scope of access provided to a particular user. User access is addressed in the Data Sensitivity Framework, which includes the sensitivity classifications used below.

Characteristics of account types and their assigned levels of security:

  • A1:  Entry-Level Security
    A1 accounts are for individuals external to the university and imply no assurance of affiliation or identity verification; for example, guests, student applicants, and job applicants. A1-account data is classified at the Standard sensitivity level.
  • A2:  Standard-Level Security
    A2 accounts provide access to sensitive information only about the individual accessing the account; for example, access to email, web, personal computer, and application data for the logged-in user. A2-account data is classified at the Standard or Moderate sensitivity level.  Data specific to the person accessing the university administrative systems may be classified at the Moderate or High sensitivity level.
  • A3:  Medium-Level Security
    A3 accounts provide access to sensitive administrative data at the unit or department level. For example, an individual may be authorized to access data in the Human Resource system, Financials system, or Student Information System beyond his or her personal information, to include other relevant information in his or her unit or department. A3-account data is classified at the Standard, Moderate, High, or Ultra sensitivity level.
  • A4:  High-Level Security
    A4 accounts provide access to sensitive administrative data at the level of a central office, college, or equivalent organizational unit.This security level:

    • Allows access to information about other individuals within the same organizational unit.
    • May grant the ability to approve access to unit-level data.
    • May include access to information at the institutional level. For example, central office users and specifically authorized college/department-level users may access university-wide information stored in the Human Resource system, Financials system and Student Information System.
    • Data at this level may be classified as having Standard, Moderate, High, or Ultra sensitivity.
  • A5:  Rigorous Security
    Data at this level may be classified as having Standard, Moderate, High, or Ultra sensitivity.
    A5 accounts are used to control institution-wide applications and databases, systems or application, and database default and implementation options. They include user accounts used in maintaining production applications such as the Human Resource system, Financials system, and Student Information System.

[Back to Contents]

Password Standard Matrix

At this time, there is a one-to-one relationship between the account types and password levels. For example, the A1 account type is protected by a P1-level password, and the A3 account type is protected by a P3-level password. This may change in the future as password characteristics are adjusted and additional account types are added.

Assigning Attributes to be Verified for Password Levels
Attribute P1 P2 P3 P4 P5
Minimum length of password 8 8 8 8 8
Maximum length of password 100 100 100 100 100
Password strength is checked Yes Yes Yes Yes Yes
Maximum age of password (in days between changes) 365 365 180 90 90
Notifications 7 days, 3 days and 1 day prior to password expiration Yes Yes Yes Yes Yes
Failed attempts before lockout 10 10 10 10 10
Self-service password reset via Self Service
(if UIA security questions have been entered)
Yes Yes Yes No No
May have reset via Help Desk phone with acceptable identity verification (UIA security questions) Yes Yes Yes Yes No
Can reset at Walk-in Center in person with valid ID Yes Yes Yes Yes No
Mandatory in person password reset by Security & Compliance ISS with valid ID No No No No Yes
Mandatory consent to obey Computer Use Regulation during self-service password reset Yes Yes Yes Yes Yes
Must complete security class and sign Information Security Acknowledgement Form before access is granted to administrative applications No No Yes Yes Yes
Mandatory enrollment in Two-factor Authentication for Shibboleth (Duo)
NOTE: All university employees are required to enable both Google 2-step and Duo as of October 31, 2017.
No No Yes Yes Yes
Cannot be a previously used password Yes Yes Yes Yes Yes

Password strength checks verify that the password:

  • Does not contain the user Unity username (neither backward nor forward)
  • Does not contain the single quote character ( ’ ); a Google limitation
  • Does contain at least one digit (number)
  • Does contain at least one letter
  • Does not begin or end with a space
  • Does not have five consecutive digits; for example, a phone number
  • Is more than a simple case change of the old password
  • Does not contain certain names or common words such as access, crayon, password, almost, NCSU, and so forth.

The following recommended, but not mandatory, strength checks are performed when a password is changed:

  • Contains at least one special keyboard character (not a number or letter)
  • Contains at least one capital letter
  • Contains at least one lowercase letter

[Back to Contents]

Password Change

To provide users with immediate Help Desk support, expiration of individual passwords are set to occur only during NC State Help Desk business hours — as permitted by each authentication system.  Please note, however, if a user has problems logging in when the Help Desk is not open, Help Desk assistance will be unavailable until the next business day. 

  • Some users may have their password reset by calling the Help Desk and correctly identifying themselves via the User Identification and Authentication (UIA), a secure Q&A survey. The user should complete this survey in advance of the password reset request.
  • Users can have their passwords reset by appearing in-person at the Help Desk or Walk-in Center with a photo ID.
  • Users should change the password immediately after a password reset.
  • When working remotely, special arrangements will be made to accommodate password changes in a timely manner. The user will be asked to provide copies of credentials with photo and signature and full name as a graphic or faxed document.
  • Before being granted access to university computer systems, users may be required to read and accept REG 08.00.02 Computer Use Regulation, which describes appropriate use of university information technology resources.
  • Users are required to read and sign the Information Security Acknowledgement (ISA) form via MyPack Portal before being granted access to the Human Resource System, the Financials System, the Student Information System, or other administrative applications and data.To access the ISA form via the Portal, log in with your Unity ID and password, and navigate to Main Menu > Employee Self Service > Personal Information > ISA Form.

[Back to Contents]

Governance

  • This Password Standard was developed by the Office of Information Technology IT Policy and Compliance Team and then sponsored and approved by the Compliance and Policy Working Group of the Security and Compliance Subcommittee of the IT Strategic Advisory Committee (ITSAC), the Campus IT Directors (CITD) Committee, and the Vice Chancellor for Information Technology/Chief Information Officer (VCIT and CIO).
  • Exceptions and changes to these standards must be approved by the standard sponsors, who will maintain documentation of all exceptions and changes.

[Back to Contents]

Contact

For questions or comments concerning the Password Standard, contact Damon Armour, Director of Information Security Risk & Assurance within OIT Security & Compliance.
[Back to Contents]