Password Standard

Revised May 8, 2017

Contents

Overview

The Office of Information Technology (OIT) has provided a framework for passwords and account types that are used in the authentication process for university-wide applications. The Password Standard establishes:

  • levels of password security needed for authentication by different account types
  • characteristics of passwords to meet security needs

[Back to Contents]

Scope

The Password Standard includes all user credentials for accessing enterprise-level (university-wide) applications and systems, including but not limited to usernames and passwords. In most cases, these applications and systems use campus-wide credential systems (e.g., Unity) for authentication. This standard may also apply to other enterprise-level systems that use different credentials.

The Password Standard:

  • may be optionally adopted for unit, departmental and college-level applications and systems
  • is recommended, but not mandatory, for unit-level systems that provide their own credentialing and access control
  • does not necessarily apply to locally-administered systems; e.g., within departments and colleges
  • does not specify requirements for security of system administrator access to systems

[Back to Contents]

Password Standard Specifications

NC State University is committed to a secure information technology environment in support of its missions. The assignment of a password level is based on an individual’s security role(s) for a specific user account. A security role requires direct management approval and is not automatically granted based upon the individual’s position with the university.

Levels of accounts and associated passwords are defined in this section, based on increasing scope and sensitivity of the data accessed by the account holder.

Levels of Application Security

Five levels of security, A1 through A5, are defined for categorizing university account types. These levels are assigned based on the sensitivity and scope of access provided to a particular user. User access is addressed in the Data Sensitivity Framework, which includes the sensitivity classifications used below. Characteristics of account types and assigned levels of security are:

  • A1: Entry-Level Security
    These accounts are used by individuals external to the university and imply no assurance of affiliation or identity verification; e.g., guests, student applicants, job applicants. Such data are always classified at the Standard sensitivity level.
  • A2: Standard-Level Security
    These accounts provide access to sensitive information about only the individual accessing the account; e.g., email, web, personal computer, application data access for the logged in user only. Such data will be classified at the Standard or Moderate sensitivity level. The specific data about the person’s accessing the university administrative systems may be classified at the Moderate or High sensitivity level.
  • A3: Medium-Level Security
    These accounts provide access to sensitive administrative data at the unit or department level. For example, an individual may be authorized to access data in the Human Resource System, Financials System or Student Information System beyond his/her personal information, to include other relevant information in his/her direct unit or department. Such data is classified at the Standard, Moderate, High, or Ultra sensitivity level.
  • A4: High-Level Security
    Data at this level may be classified as having Standard, Moderate, High, or Ultra sensitivity.
    These accounts provide access to sensitive administrative data at the level of a central office, college or equivalent organizational unit. This security level:

    • includes access to information about others within the same organizational unit.
    • may grant the ability to approve access to unit level data.
    • may also include access to information at the institutional level. For example, central office users and specifically authorized college/division level users may access university-wide information stored in the Human Resource System, Financials System and Student Information System.
  • A5: Rigorous Security
    Data at this level may be classified as having Standard, Moderate, High, or Ultra sensitivity.
    The accounts are used to control institution-wide applications and databases, systems or application, and database default and implementation options. They include user accounts used in maintaining production applications such as the Human Resource System, Financials System or Student Information System.

[Back to Contents]

Password Standard Matrix

At this time, there is a one-to-one relationship between the account types and password levels. For example, Account type A1 is protected by a P1 level password, and Account type A3 is protected by a P3 level password. This may change in the future as password characteristics are adjusted and additional account types are added.

Assigning Attributes to be Verified for Password Levels
Attribute P1 P2 P3 P4 P5
Minimum length of password 8 8 8 8 8
Maximum length of password 100 100 100 100 100
Password strength is checked Yes Yes Yes Yes Yes
Maximum age of password (in days between changes) 365 365 180 90 90
Notifications 7 days, 3 days and 1 day prior to password expiration Yes Yes Yes Yes Yes
Failed attempts before lockout 10 10 10 10 10
Self-service password reset via Self Service
(if UIA security questions have been entered)
Yes Yes Yes No No
May have reset via Help Desk phone with acceptable identity verification (UIA security questions) Yes Yes Yes Yes No
Can reset at Walk-in Center in person with valid ID Yes Yes Yes Yes No
Mandatory in person password reset by Security & Compliance ISS with valid ID No No No No Yes
Mandatory consent to obey Computer Use Regulation during self-service password reset Yes Yes Yes Yes Yes
Must complete security class and sign Information Security Acknowledgement Form before access is granted to administrative applications No No Yes Yes Yes
Mandatory enrollment in Two-factor Authentication for Shibboleth (Duo)
NOTE: All university employees will be required to enable both Google 2-step and Duo by October 31, 2017
No No No Yes Yes
Cannot be a previously used password Yes Yes Yes Yes Yes

Password strength checks verify that the password:

  • Does not contain the user Unity username
  • Does not contain the user Unity username backwards
  • Does not contain the single quote character ( ’), a Google limitation
  • Does contain at least one digit (number)
  • Does contain at least one letter
  • Does not start or end with a space
  • Does not have five consecutive digits; e.g., phone number
  • Is more than a simple case change of your old password

The following three recommended but not mandatory strength checks are performed when a password is changed:

  • contain at least one special keyboard character (not a number or letter)
  • contain at least one capital letter
  • contain at least one lowercase letter

[Back to Contents]

Password Change

Expiration of individual passwords should be set to occur only during the NC State Help Desk business hours – as permitted by authentication systems – in order to provide users with immediate Help Desk support. However, users who have problems logging in during times when the Help Desk is not open will need to seek assistance the next business day. 

  • Some users may have their password reset by calling the Help Desk and correctly identifying themselves via the User Identification and Authentication (UIA), a secure question and answer survey. The user should complete this survey in advance of the password reset request.
  • Users can have their passwords reset by appearing in person at the Help Desk or Walk-in Center with a photo ID.
  • Users should change password immediately after password reset.
  • Where the location is remote to the Help Desk, special arrangements will be made to accommodate the user change of password on a timely basis. User will be asked to provide copies of credentials with picture, signature and full name as a graphic or FAXed document.
  • Users may be required to read and accept REG 08.00.02 Computer Use Regulation, which describes appropriate use of university information technology resources, before being granted access to university computer systems.
  • Users are required to read and sign the Information Security Acknowledgement Form (ISAF) via MyPack Portal before being granted access to the Human Resource System, the Financials System, the Student Information System, or other administrative applications and data. To access the Information Security Acknowledgement Form (ISAF) via the Portal, log in with your Unity ID and password, then navigate to Main Menu > Employee Self Service > Personal Information > ISA Form.

[Back to Contents]

Governance

  • This Password Standard was developed by the Office of Information Technology IT Policy and Compliance Team. It was sponsored and approved by the Compliance and Policy Working Group of the Security and Compliance Subcommittee of the IT Strategic Advisory Committee (ITSAC), the Campus IT Directors Committee (CITD), and the Vice Chancellor for Information Technology/Chief Information Officer (CIO and VCIT).
  • Exceptions and changes to these standards must be approved by the standard sponsors, and written documentation of exceptions and changes will be maintained by the standard sponsors.

[Back to Contents]

Contact

For questions or comments concerning the Password Standard, contact Leo Howell, assistant director of IT Policy and Compliance in the OIT Security and Compliance unit, at leo_howell@ncsu.edu.
[Back to Contents]