Computing Passwords Policy

1.0 Purpose
2.0 Scope
3.0 Policy
3.1 Desktop Administrator Passwords
3.2 Server Administrator Passwords
4.0 Related Policies and Links

1.0 Purpose

This policy describes the University's requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft.

Passwords are the most frequently utilized form of authentication for accessing a computing resource. Due to the use of weak passwords, the proliferation of automated password-cracking programs, and the activity of malicious hackers and spammers, they are very often also the weakest link in securing data. Password use must therefore adhere to the policy statement found below. 

2.0 Scope

This policy applies to anyone accessing or utilizing Brown University's network or data. This use may include, but is not limited to, the following: personal computers, laptops, Brown-issued cell phones, and hand-held factor computing devices (e.g., PDAs, USB memory keys, electronic organizers), as well as Brown electronic services, systems and servers. This policy covers departmental resources as well as resources managed centrally .

3.0 Policy

All passwords (e.g., email, web, desktop computer, etc.) should be strong passwords and follow the standards listed below. In general, a password's strength will increase with length, complexity and frequency of changes.

Greater risks require a heightened level of protection. Stronger passwords augmented with alternate security measures such as multi-factor authentication, should be used in such situations. High risk systems include but are not limited to: systems that provide access to critical or sensitive information, controlled access to shared data, a system or application with weaker security, and administrator accounts that maintain the access of other accounts or provide access to a security infrastructure.

Central and departmental account managers, data trustees, and security and/or system administrators are expected to set a good example through a consistent practice of sound security procedures.

  1. All passwords must meet the following minimum standards, except where technically infeasible:
    • be at least eight alphanumeric characters long
    • contain digits or punctuation characters as well as letters (e.g., 0-9, ~'!@#$%()_-'{.})
      Note:
      The following special characters cannot be used in passwords for most Brown systems: *+,/:;<=>?[\]|^&
    • contain both upper and lower case characters (e.g., a-z, A-Z)
    • not be a word in any dictionary, language, slang, dialect, jargon, etc.
    • not be solely based on easily guessed personal information, names of family members, pets, etc.
  2. To help prevent identity theft, personal or fiscally useful information such as Social Security or credit card numbers must never be used as a user ID or a password.
  3. All passwords are to be treated as sensitive information and should therefore never be written down or stored on-line unless adequately secured.
    Note: Do not use the password storage feature offered on Windows or other operating systems. This feature creates a password file that is vulnerable to hackers.
  4. Passwords should not be inserted into email messages or other forms of electronic communication without the consent of the Information Security Group (ISG).
  5. Passwords that could be used to access sensitive information must be encrypted in transit.
  6. The same password should not be used for access needs external to Brown (e.g., online banking, benefits, etc.).
  7. It is recommended that passwords be changed at least every six months.
  8. Individual passwords should not be shared with anyone, including administrative assistants or IT administrators. Necessary exceptions may be allowed with the written consent of ISG and must have a primary responsible contact person. Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords.
  9. If a password is suspected to have been compromised, it should be changed immediately and the incident reported to the Departmental Computing Coordinator (DCC) or to ISG.
  10. Password cracking or guessing may be performed on a periodic or random basis by ISG or its delegates with the cooperation and support from the appropriate system administrator. If a password is guessed or cracked during one of these scans, the password owner will be required to change it immediately.

Note: Consult the Password FAQ for suggestions on forming strong passwords and the use of passwords at Brown.

3.1 Account Administration Standards

In addition to the general password guidelines listed above, the following apply to desktop administrator passwords, except where technically and/or administratively infeasible:

  1. These passwords must be changed at least every six months.
  2. Where technically and administratively feasible, attempts to guess a password should be automatically limited to ten incorrect guesses. Access should then be locked for a minimum of ten minutes, unless a local system administrator intercedes.
  3. Failed attempts should be logged, unless such action results in the display of a failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect these logs and any irregularities or compromises should be immediately reported to the Information Security Group. 

3.2 Shared Accounts

In addition to the general password standards listed above, the following apply to server administrator passwords, except where technically and/or administratively infeasible:

  1. Passwords for servers must be changed as personnel changes occur.
  2. If an account or password is suspected to have been compromised, the incident must be reported to ISG and potentially affected passwords must be changed immediately.
  3. Where technically or administratively feasible, attempts to guess a password should be limited to ten incorrect guesses. Access should then be locked for a minimum of ten minutes, unless a local system administrator intercedes.
  4. Uniform responses should be provided for failed attempts, producing simple error messages such as "Access denied". A standard response minimizes clues that could result from hacker attacks.
  5. Failed attempts should be logged, unless such action results in the display of the failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect these logs and any irregularities such as suspected attacks should be reported to the Information Security Group.

Note: Log files should never contain password information.

4.0 Related Policies and Links

Acceptable Use
Accounts and Access Information and Forms
Accounts and Passwords (services description)
Computing Account Management Policy 
Password FAQ
Protecting Information Checklist   

Questions or comments to: ITPolicy@brown.edu

Effective Date: May 26, 2005
Last Reviewed: August, 2009