University of Texas System - Put office name here

Introduction

Passwords are a means of controlling access to Information Resources. Unauthorized access can
compromise information confidentiality, integrity and availability resulting in loss of revenue, liability, loss of trust or embarrassment to U. T. System Administration. U. T. system Administration’s security policy calls for the use of strong passwords to ensure password confidentiality and protect the data at System Administration. Password requirements:
All passwords, including initial passwords, must be constructed, implemented, and maintained according to the System Administration password policy. Passwords must:
• Be changed at least annually
• Be changed immediately if the security of the password is in doubt
• Be treated as confidential information
• Have a minimum length of 8 characters
• Be comprised of a combination of alpha, numeric or special characters
• Be encrypted when stored or transmitted

Definitions

Strong Password: A strong password is constructed so that another user or a “hacker” program cannot easily guess it. It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters. Combine short, unrelated words with numbers, special characters, or mixed case. For example: eAt42peN

Constructing a Strong Password

System Administration has adopted Microsoft’s strong password implementation. To construct a strong password you must use 3 of the following character sets and have a minimum of 8 characters:
Upper case letters (A – Z)
Lower case letters (a – z)
Numbers (0-9)
Special Characters (#$%&* etc)
Examples:
2BorNot2B
*TT4now!
Gre@td@y

Strong Password Guidelines

Passwords should not be easily related to such personal information as:
• your username or logon ID your employee number
• your given name
• names of family, friends, pets, co-workers, fantasy characters, etc.
• your nickname
• your social security or driver’s license number
• your birthday
• your license plate number
• your address or street name
• your phone number
• the name of your town or city
• the name or abbreviation of your company or department
• computer terms and names, commands, sites, companies hardware, software, etc.
• common industry terms or acronyms
• word or number patterns such as aaabbb, zyxwvut, 123321, etc.
• makes or models of vehicles
• slang words
• obscenities
• technical terms
• school names, school mascot, or school slogans
• any information about you that is know or is easy to learn (favorite - food, color, sport, etc.) any popular phrases, acronyms, jargon, etc.
• words that appear in a dictionary (English or foreign)
• the reverse of any of the above
• the same as other passwords selected for personal use outside of the office, or passwords commonly used on public web sites

Application Passwords

The application environment at System Administration consists of web applications hosted on the
mainframe at Austin, terminal emulation applications hosted on the mainframe, Access database
applications hosted on the local area network, applications that are hosted by outside providers,
and web applications hosted locally. Some of the latter use Access databases for data storage
and some use SQL Server for data storage. Authentication methods for each of these application
types occurs in a slightly different way, with some variation depending on what the particular
technology allows.

In all cases, the password does not display while it is being entered, and web-based login occurs
over an SSL connection. Overall, however, applications hosted at System Administration have
not been written to enforce a strong password.

Now that password standards have been defined, the long term plan is to rewrite the logins for
existing applications to authenticate against LDAP or Active Directory, and to develop new
applications to use this once those technologies are in place. Password standards could then be
enforced through those services. We regard this as a more efficient and reliable means of
ensuring consistency in standards than having each application enforce standards independently.
See the U. T. System Administration Information Resources Acceptable Use and Security Policy for more information.