PASSWORD CONSTRUCTION GUIDELINES

Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may result in the compromise of individual systems, data, or UNIS’ network. This guideline provides best practices for creating secure passwords.

The purpose of this guidelines is to provide best practices for the creation of strong passwords.

This guideline applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any UNIS facility, has access to the UNIS network, or stores any non- public UNIS information. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection and local router logins.

All passwords should meet or exceed the following guidelines.

Strong passwords have the following characteristics:

• Contain at least 8 alphanumeric characters.

• Contain both upper and lower case letters.

• Contain at least one number (for example, 0-9).

• Sensitive administrative position: at least one special character (for example \`{}[]:";'<>?,/).

Poor, or weak, passwords have the following characteristics:

• Contain less than eight characters.

• Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.

• Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.

• Contain work-related information such as building names, system commands, sites, companies, hardware, or software.

• Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.

• Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).

• Are some version of “Welcome123” “Password123” “Changeme123”

You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.

(NOTE: Do not use either of these examples as passwords!)

Passphrases generally are used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to unlock the private key, the user cannot gain access.

A passphrase is similar to a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines to include upper and lowercase letters, numbers, and special characters (for example, TheWeatherOnTheWayWas*&!$ThisMorning!).

The IT team will verify compliance to this policy through various methods, including but not limited to, periodic walkthroughs, business tool reports, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the Tech team in advance.

Employee found to have violated this policy will be asked to comply and will be guide in the process by an IT Specialist.

• The policy is subject to change: any faculty/staff/admin/student can request modification in order to enhance their experience with Technology at UNIS. Exception to this policy will be considered on a one-to-one basis.

• These guidelines were partially created by or for the SANS Institute for the Internet community.