Office of Information Technology
Effective Date May 26, 2005
All OIT Policies

Computing Passwords Policy

Policies

This policy describes the University's requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft.

Passwords are the most frequently utilized form of authentication for accessing a computing resource. Due to the use of weak passwords, the proliferation of automated password-cracking programs, and the activity of malicious hackers and spammers, they are very often also the weakest link in securing data. Password use must therefore adhere to the policy statement found below.

This policy applies to anyone accessing or utilizing Brown University's network or data. This use may include, but is not limited to, the following: personal computers, laptops, Brown-issued cell phones, and hand-held factor computing devices (e.g., PDAs, USB memory keys, electronic organizers), as well as Brown electronic services, systems and servers. This policy covers departmental resources as well as resources managed centrally.

All passwords (e.g., email, web, desktop computer, etc.) should be strong passwords and follow the standards listed below. In general, a password's strength will increase with length, complexity and frequency of changes.

Greater risks require a heightened level of protection. Stronger passwords augmented with alternate security measures such as multi-factor authentication, should be used in such situations. High risk systems include but are not limited to: systems that provide access to critical or sensitive information, controlled access to shared data, a system or application with weaker security, and administrator accounts that maintain the access of other accounts or provide access to a security infrastructure.

Central and departmental account managers, data trustees, and security and/or system administrators are expected to set a good example through a consistent practice of sound security procedures.

  1. All passwords must meet the following minimum standards, except where technically infeasible:
    • be at least ten characters in length (for Brown network passwords, eight for Google mail)
    • contain at least one lowercase character
    • contain at least one number
    • contain at least one special character
    • contain at least one uppercase character
    • cannot contain your first name, last name, or username
    • cannot match your last four passwords.
  2. To help prevent identity theft, personal or fiscally useful information such as Social Security or credit card numbers must never be used as a user ID or a password.
  3. All passwords are to be treated as sensitive information and should therefore never be written down or stored on-line unless adequately secured.
  4. Passwords should not be inserted into email messages or other forms of electronic communication without the consent of the Information Security Group (ISG).
  5. Passwords that could be used to access sensitive information must be encrypted in transit.
  6. The same password should not be used for access needs external to Brown (e.g., online banking, benefits, etc.).
  7. It is recommended that passwords be changed at least every six months.
  8. Individual passwords should not be shared with anyone, including administrative assistants or IT administrators. Necessary exceptions may be allowed with the written consent of ISG and must have a primary responsible contact person. Shared passwords used to protect network devices, shared folders or files require a designated individual to be responsible for the maintenance of those passwords, and that person will ensure that only appropriately authorized employees have access to the passwords.
  9. If a password is suspected to have been compromised, it should be changed immediately and the incident reported to the Departmental Computing Coordinator (DCC) or to ISG.
  10. Password cracking or guessing may be performed on a periodic or random basis by ISG or its delegates with the cooperation and support from the appropriate system administrator. If a password is guessed or cracked during one of these scans, the password owner will be required to change it immediately.

Note: Consult the document Strong Passwords for suggestions on forming hard-to-guess/easy-to-remember passwords.

3.1 Account Administration Standards

In addition to the general password guidelines listed above, the following apply to desktop administrator passwords, except where technically and/or administratively infeasible:

  1. These passwords must be changed at least every six months.
  2. Where technically and administratively feasible, attempts to guess a password should be automatically limited to ten incorrect guesses. Access should then be locked for a minimum of ten minutes, unless a local system administrator intercedes.
  3. Failed attempts should be logged, unless such action results in the display of a failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect these logs and any irregularities or compromises should be immediately reported to the Information Security Group

3.2 Shared Accounts

In addition to the general password standards listed above, the following apply to server administrator passwords, except where technically and/or administratively infeasible:

  1. Passwords for servers must be changed as personnel changes occur.
  2. If an account or password is suspected to have been compromised, the incident must be reported to ISG and potentially affected passwords must be changed immediately.
  3. Where technically or administratively feasible, attempts to guess a password should be limited to ten incorrect guesses. Access should then be locked for a minimum of ten minutes, unless a local system administrator intercedes.
  4. Uniform responses should be provided for failed attempts, producing simple error messages such as "Access denied". A standard response minimizes clues that could result from hacker attacks.
  5. Failed attempts should be logged, unless such action results in the display of the failed password. It is recommended that these logs be retained for a minimum of 30 days. Administrators should regularly inspect these logs and any irregularities such as suspected attacks should be reported to the Information Security Group.

Note: Log files should never contain password information.

Questions or comments to: ITPolicy@brown.edu

Last Reviewed: April, 2015