Please note: You are viewing the unstyled version of this web site. Either your browser does not support CSS (cascading style sheets) or it has been disabled.

IT Services

Local Navigation

Policy Subject

ITS003 - Password Selection and Management

 

Purpose:

 

Passwords are a critical part of information and network security. Passwords serve to protect user accounts, but a poorly chosen password, if compromised, could put the entire network at risk. As a result, all employees of Macquarie University are required to take appropriate steps to ensure that they create strong, secure passwords and keep them safeguarded at all times.

This document is a “Statement of Best Practice”, that is, a recommendation. It is NOT a policy. However, it is a pragmatic balance of security and ease of use and Macquarie University staff are encouraged to use it.

Why is it not a policy? Many organisations have attempted to enforce rigid controls regarding the use of passwords for computer systems, often using technological controls that force computer users to use passwords of a certain length and a certain composition. This approach works when users have ‘single sign-on’, that is, one account name and one password that provide access to all computer systems they require. However, many organisations, including Macquarie University, do not have single sign-on and users must remember many different passwords. Rigid, technologically enforced controls mean that passwords must change regularly, often at different times. More importantly, it is not uncommon for each system to have a different standard, making it difficult to reuse the same password in multiple systems. Experience shows that this combination results in users writing passwords down and often leaving them in public places – the end result being a LESS secure environment which defeats the purpose of using passwords.

Therefore, the guidelines in this paper are suggestions and it is highly recommended that staff follow as many of the suggestions as possible.

Staff are reminded that they are responsible for their passwords regardless of whether or not these recommendations are followed.

The Statement of Best Practice will be modified to Policy as and when single sign-on, or similar technology, is introduced.

 

Scope

 

This Statement of Best Practice is intended for the use of Macquarie contractors and guests.

Student passwords are covered by a separate policy document.

 
General

 

Frequency of Changing Passwords

Passwords should be changed at least every 28 days, or whenever any of the following events occur:

  1. You give your password to someone else. You should never volunteer your password to another person, however, in the event that you do, you should change it immediately.

  2. You suspect someone has seen you enter your password.

  3. You have reason to believe that someone may have stolen your password through the use of technology or by logging your password. In this event you should change your password immediately then report your suspicions to the ITS Security Officer by emailing itsecurity@mq.edu.au .

Old passwords should not be re-used for a period of 12 months.

[Back to top]

 

Password Construction Guidelines

Passwords are used to access any number of company systems, including the network, AMIS, FMIS, PMIS, e-mail and the web. Poor, weak passwords are easily cracked, and put the entire system at risk. Therefore, strong passwords are required. The key is to create a password that is easy to remember but hard to guess.

  1. Passwords should not be based on well-known or easily accessible personal information.

  2. Passwords should contain as many characters as possible within the limits of the computer system – the Macquarie University network account will allow up to 14 characters. Longer passwords are more secure because they are harder to ‘crack’ and are often easier to remember because you can use complete words and perhaps sentences. You can often use spaces - for example: Here I am 2day

  3. Passwords should contain a mix of uppercase letters, lowercase letters, numbers and special characters (e.g. $,! (*)/ and space).

  4. A new password should contain at least 6 characters that are different than those found in the old password which it is replacing.

  5. Passwords should not be based on a users’ personal information or that of his or her friends, family members, or pets. Personal information includes logon I.D., name, birthday, address, phone number or any permutations thereof.

  6. Passwords should not be words that can be found in a standard dictionary (English or foreign) or are publicly known slang or jargon.

  7. Passwords should not be based on publicly known fictional characters from books, films, and so on.

  8. Passwords should not be based on the company’s name or geographic location.

[Back to top]

 

Password Protection Guidelines

  1. Passwords should be treated as confidential information. No employee should give, tell, or hint at their password to another person, including IT staff, administrators, superiors, other co-workers, friends, and family members.

  2. If someone demands your password, refer them to this document or have them contact the IT Services Department.

  3. Passwords should not be transmitted electronically over the unprotected Internet, such as via e-mail. However, passwords may be used to gain remote access to university resources via the remote access server (RAS) or secure web sites.

  4. No employee is to keep an unsecured written record of his or her passwords, either on paper or in an electronic file. If it proves necessary to keep a record of a password, then it must be kept in a locked place if in hardcopy form or in an encrypted file if in electronic form.

  5. Do not use the “Remember Password” feature of applications.

  6. Passwords used to gain access to University systems should not be used as passwords to access non-University accounts or information.

  7. The IT Department may attempt to crack or guess users’ passwords as part of its ongoing security vulnerability auditing process. If a password is cracked or guessed during one of these audits, the user will be required to change his or her password immediately.

[Back to top]

Approval

This policy was approved by the Macquaire University ITC Policy Committee on 14 March 2005

 
 

Supplementary Information

 

Other
Relevant Information

The legislation and other relevant University policies relevant to this policy are:

  • Privacy Policy
  • Copyright Policy
  • Accessibility Policy
  • IT Security Policy
  • Intellectual Property Policy
  • Code of Conduct
  • Visual Identity Guide

[Back to top]

 

Copyright & Site information

  • CRICOS Provider No 00002J, ABN 90 952 801 237
  • Last Updated: Mon, 20 Aug 2007 10:55:52 AEST
  • Authorised by: Director, IT Services