University of Central Florida

Information Security
 
Quick Links
Home
Data Security Do's and Don'ts
Security Tips for IT
Server Security Standards
Computer Security Standards
Legal Matters
 
Network Operations Center
ResNet
Service Desk

 
Security Sites
CERT
CIS
INCIDENTS
LINUX SECURITY
DHS
SANS
SARC
SECURITY FOCUS
US-CERT

 

 

Password Protection

Background:

Your password is the primary method for assuring the privacy of your personal information, computing activity and preventing others from using your information for disruptive, offensive, or illegal activities.

These standards and guidelines applies to anyone accessing systems that hold or transmit University data. Systems include, but are not limited to: personal computers, laptops, cell phones, and small factor computing devices (e.g., PDAs, USB memory drives, electronic organizers), as well as UCF web services, systems and servers.

Standards & Guidelines:

All passwords (e.g., email, web, desktop computer, etc.) should be strong passwords and should follow the guidelines below. In general, a password's strength will increase with length, complexity and frequency of changes.

High risk systems may require higher level of protection. High risk systems include but are not limited to: systems that provide access to critical or sensitive information, controlled access to shared data, a system or application with weaker security, and administrator accounts that maintain the access of other accounts or provide access to a security infrastructure. For such high risk requirements, strong passwords should be augmented with two-factor (or more) authentication.

IT managers, data trustees, and departmental security coordinators and/or system administrators are expected to set a good example through a consistent practice of sound security procedures.

1.     All passwords should meet the following guidelines, except where technically infeasible:

  • be at least seven (7) alphanumeric characters long

  • contain digits and special characters as well as letters (e.g., 0-9, !@#$%^&()_~-=`{}".')

  • contain both upper and lower case characters (e.g., a-z, A-Z).

  • not be a word in any dictionary, language, slang, dialect, jargon, etc.

  • not be solely based on easily guessed personal information, names of family members, pets, etc.

2.    To help prevent identity theft, personal information such as Social Security or credit card numbers should never be used as a user ID or a password.

3.    All passwords should be treated as sensitive, confidential information and should therefore never be written down or stored on-line.

4.    Passwords that could be used to access sensitive information must be encrypted in transit.

5.    The same password should not be used for access needs external to UCF (e.g., online banking, Hotmail, Gmail, etc.).

6.    It is recommended that passwords be changed at least every 60 days.

7.    Passwords should not be shared with anyone, including administrative assistants or IT administrators. If administrators need to access your system/account, change your password and provide them a new one. Shared passwords used to protect network devices require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords.

8.    If a password is suspected to have been compromised, it should be changed immediately and the incident reported to the IT manager, Departmental Security Coordinator (DSC) or to the Information Security Office.

Server and Desktop Administrator Passwords

In addition to the general password guidelines listed above, the following applies to server and desktop administrator passwords, except where technically and/or administratively infeasible:

1.     These passwords should be changed at least every 60 days.

2.    Password history should be activated and the last six to ten passwords kept.

3.    Minimum password age should be between forty and fifty days.

4.    Where technically and administratively feasible, attempts to guess a password should be automatically limited to ten incorrect guesses. Access should then be locked until a local system administrator intervenes.

5.    Failed attempts should be logged, unless such action results in the display of a failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect these logs and any irregularities or compromises should be immediately reported to the Security Incidents Response Team (SIRT.)

6.    If an account or password is suspected to have been compromised, the incident must be reported to the departmental security coordinator and the Information Security Office and potentially affected passwords must be changed immediately.

7.    Log files should never contain password information

Related Documents:

Policy 4-007 Security of Mobile Computing, Data Storage, and Communication Devices
Policy 4-008 Data Classification and Protection

These and other University policies may be found at http://policies.ucf.edu

All contents are copyrighted
Maintained by the Information Security Office
Computer Services & Telecommunications
Division of IT&R