Purpose
To manage the integrity of user access to the college’s computing systems and provide security to the information contained in network assets. This policy sets a standard for creating, protecting, and changing passwords to ensure best practices are followed for password strength, security, and protection.
Policy
The College shall assure that computers linked to the administrative network, and consequently network data sources, are secured through means of a comprehensive identity management system. The College shall ensure that the staff who use networked computing technology understand and accept the Information Systems Acceptable Use Policy – IT 1.11. This policy applies to all employees of the College who have or are responsible for any type of network account to include (computer account, Jenzabar account, mylaboure.edu account, D2L Brightspace, email account, etc.…) any form of access that supports or requires a password, on any system that resides at any College facility, service, or has access to the Labouré College of Healthcare network.
General Information
Passwords are a critical part of information and network security. Passwords serve to protect user accounts but a poorly chosen password could put the entire network at risk. As a result, all employees of Labouré College of Healthcare are required to take appropriate steps to ensure that they create strong, secure passwords and safeguard them at all times.
What is a password? Your computer password is your personal key to a computer system. Passwords help to ensure that only authorized individuals access computer systems. Passwords also help to determine accountability for all transactions and other changes made to system resources, including data. If you share your password with a colleague or friend, you may be giving an unauthorized individual access to the system. What if the individual gives your password to someone else? What if some of your files are deleted or otherwise rendered unusable?
Authentication of individuals as valid users, via the input of a valid password, is required to access any shared computer information system. Each user is accountable for the selection, confidentiality, and changing of passwords required for authentication purposes. Since you are responsible for picking your own password, it is important to be able to tell the difference between a good password and a bad one. Bad passwords jeopardize information that they are supposed to protect.
Your password should not be the same as your User/Logon ID, an anagram of your User/Login ID, or a palindrome of your User/Login ID. There are a variety of techniques you can use to choose secure passwords. Listed below are some examples of creating passwords.
Password Construction Requirements
· All users of the College network shall adhere to the best practices of password security.
· Passwords must be at least eight characters long, and include one upper case letter, one lower case letter, one number, and one special character
· The college will require all employees to change their password every 90 days.
· Passwords cannot be the same as the prior three passwords
· Passwords should not be based on user's personal information or that of his or her friends, family members, or pets. Personal information includes logon I.D., name, birthday, address, phone number, social security number, or any permutations thereof
· Passwords should not be words that can be found in a standard dictionary (English or foreign) or are publicly known slang or jargon
· Passwords should not be trivial, predictable, or obvious
· Passwords should not be based on publicly known fictional characters from books, films, and so on
· Passwords should not be based on the company's name or geographic location
Password Protection Requirements
· Every new staff member who uses a computer or device connected to the network will be given a unique temporary password that will be required to change upon initial login
· Never write a password down. No employee is to keep an unsecured written record of his or her passwords, either on paper or in an electronic file. If it proves necessary to keep a record of a password, then it must be kept in a controlled-access place if in hardcopy form or in an encrypted file if in electronic form
· Never share your password with anyone. Sharing a password will be considered a serious offense. Passwords should be treated as confidential information. No employee is to give, tell, or hint at their password to another person, including IT staff, administrators, superiors, other co-workers, friends, or family members, under any circumstances
o If someone demands your password, refer him or her to these guidelines or have him or her contact the IT Department
· Passwords should not be transmitted electronically over the unprotected Internet, such as via e-mail. However, passwords may be used to gain remote access to company resources via the company's IPsec-secured Virtual Private Network or SSL-protected Website
· Do not use the "Remember Password" feature of applications and do not create a "hotkey" for password use
· Passwords used to gain access to company systems should not be used as passwords to access non-company accounts or information
· Do not use the same password to access multiple company systems
· Log out of any authenticated software or computer before leaving them unattended
· If an employee either knows or suspects that his/her password has been compromised, it must be reported to the IT Department and the password changed immediately
· When a network user has been moved or terminated, the Information Technology staff shall be notified by the Chief Human Resources Officer, and the user's network rights shall be altered or revoked immediately.
· For any third-party applications requiring a password, such as PowerFAIDS, EdConnect, ADP, and Jenzabar EX, Information Technology staff will maintain an electronic inventory of administrative user and password information sufficient to manage the application and any authorized users. This inventory will be password-protected and will be held in a location accessible to college administrators
· Do not use any of the password examples shown in this document
Following are examples of some techniques for creating passwords.
· Use a word with one or two digits embedded in it. Examples:
o HOu32SE#, MON4%2DaY, TaB87LE%
· Make up an acronym based on a nursery rhyme, a favorite song or movie, or a sentence. Examples:
o MHaLL76# - Mary Had A Little Lamb
o MdHF#88 - My Dog Has Fleas#
o OtGDY4*8 - Only The Good Die Young (Billy Joel)
o TErM2*12 - Terminator 2
· Use a three-character pronounceable word suffixed or prefixed with a one- or two-digit suffix or prefix. Examples:
o DAM56, WAR34, 56DIG
· Make up nonsense words that mean something to you by combining the first syllables of two words. However, avoid using standard abbreviations like "jan, feb, mar, etc." as part of your password. Example:
o PUBPOL5% - Published Policy
· Drop vowels or drop everything but the first 6 letters of a long word or two words. Examples:
o CLNDSK1# - clean desk
o DEDICA5% - dedication
o HOMEWO# 9- homework
· Use special characters like #, $, and @. These too, can be inserted anywhere. Example:
o UNI$VER9 - university
· Misspell a word, drop a couple of letters, or add some. Examples:
o MISTIFI@ - mystify
o CELLEB59 - celebrate
o RNYDY$17 - rainy day
· Be creative! Try to choose a pattern that has meaning for you but that no one else can guess. For example, you might use upcoming events in your life. If you or one of your children has a major essay to write next month, you might create a password reflecting that event. Example:
o MAJESS+7 - Major essay
· Or if your 4th cousin, twice removed, is coming for a visit you might create a password such as the following one. Example:
o 4CUZZ02#
· Another pattern could be to choose meaningful words with a minimum of 10 letters and always use only the first 6 letters. Then add a special character as one of the characters Note: Some systems have restrictions as to which special characters can be used as part of a password. Examples:
o ANNIVE$0 - anniversary
o UNBEND# 9- unbendable
o @UNBEND1 - unbendable
o UN#BEND1- unbendable
· The best password is one that is a random combination of numeric and alphabetic characters and special characters. On systems that allow upper-case and lower-case letters, use a combination of upper and lower case characters for your password. Example:
o 48KK43%V
o 4*hk8LP9
Access Control
· College computer systems will be configured to lock users out of the system after multiple unsuccessful login attempts. This lockout may be for a short period of time or may be permanent until lifted by an IT administrator
· College computer systems will be configured to lock themselves after a period of inactivity. Users are encouraged to lock computer systems when they leave them, but the systems will be set to lock after no longer than 15 minutes, to prevent unauthorized individuals from gaining access to sensitive information