Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may compromise Murray State University’s resources. As such, all students, faculty, staff, or individuals external to MSU who use MSU information technology resources are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. Any questions or comments about this policy should be directed to Information Systems.
The scope of this policy includes all individuals (students, faculty, staff, or individuals external to MSU) who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Murray State University facility, has access to the Murray State University network, or stores any Murray State University information regardless of location.
4.2.1 General Password Construction Guidelines
Some of the more common uses of passwords include: user level accounts, web accounts, email accounts, screen saver protection, voice mail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.
Weak passwords have the following characteristics which must be avoided:
NOTE: Do not use any of these examples as passwords!
4.2.2 Password Protection Standards
Do not use the same password for Murray State University accounts as for other non-Murray State University access (e.g., personal ISP account, personal email, forums, etc.). Where possible, don't use the same password for various Murray State University access needs.
Do not share Murray State University passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential Murray State University information.
Compliance with the following is required:
If an account or password is suspected to have been compromised, report the incident immediately to the Information Security Officer and change all passwords.
Password cracking or guessing may be performed on a periodic or random basis by the Information Security personnel. If a password is guessed or cracked during one of these scans, the user will be required to change it.
4.2.3 Application Development Standards
Application developers must ensure their programs contain the following security precautions.
4.2.4 Pass phrases
Pass phrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the pass phrase to "unlock" the private key, the user cannot gain access.
Pass phrases are not the same as passwords. A pass phrase is a longer version of a password and is, therefore, more secure. A pass phrase is typically composed of multiple words. Because of this, a pass phrase is more secure against "dictionary attacks."
A good pass phrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good pass phrase:
All of the rules above that apply to passwords apply to pass phrases.
Anyone found to have violated this policy may be subject to disciplinary action, up to and including suspension of access to technology resources or termination of employment. Students may be referred to Student Affairs for discipline. A violation of this policy by a temporary worker, contractor or vendor may result in action up to and including termination of their contract or assignment with Murray State University.
Application Administration Account
Any account that is for the administration of an application (e.g., Oracle database administrator, SAN administrator).
SNMP (Simple Network Management Protocol)
SNMP is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
Murray State University Network
Being connected to a Murray State University network includes the following: