Password Usage and Management policy

This policy applies to everyone who uses University computing facilities. It is your responsibility to choose strong passwords and protect them.

The numbers in brackets refer to the section in the full policy, which is available as a PDF.

Applicability

  • All users of University computing facilities (1.2)

Scope

  • All computers operated by the University (1.3)

Password Usage and Management

  • Purpose and overview of policy – users are to select strong passwords and protect them. (2.1)
  • Users are responsible for keeping their passwords secret. (2.2)
  • Systems Administrators are to ensure that only hashed/encoded forms of password are stored in their respective systems and Microsoft systems should always be configured so that they don’t store the LM hash values of user’s passwords. (2.3)
  • The University will not necessarily configure its systems to enforce password complexity. (2.4.1)
  • Users are to choose strong passwords (guidelines can be found at the Annex). (2.4.2)
  • Those operating their own systems outside of AD are to implement a forced-change process for newly created accounts at first log-on. (2.5.1)
  • Password aging will be implemented on sensitive systems. (2.5.2)
  • Users of systems that cannot be configured to force-change their initial default passwords at first logon are required to change them themselves at the first logon. (2.6.1)
  • Default passwords are to be changed before systems are brought into production or peripherals added to the network. (2.6.2)
  • Systems level passwords must be changed at least quarterly. (2.6.3)
  • Passwords must be changed immediately that it is suspected someone else knows them and on all occasions when a malpractice incident is discovered or suspected. (2.6.4)
  • Custodians of temporary account passwords must manage them carefully. (2.6.5)
  • Staff may only have access to system-level passwords on an operational need-to-know basis. (2.7)
  • Shared administrator and super-user (global) passwords are not to be used on production systems except where passwords are hard-coded into applications. (2.7)
  • Windows system passwords for privileged accounts must be 15 characters or more. (2.7)
  • Administrators and IT support staff are to use secondary accounts for supporting their systems and services. (2.7)
  • UNIX users are to use their own user accounts to SU to Root. (2.7)
  • Hard coded and service account passwords must never be used to log onto servers. (2.7.1)
  • Passwords are not to be shared by users, except when they are hard-coded or used collaborative access in accordance with the Access Control and Account management Policy. (2.8)
  • With the correct authority password cracking tools may be operated by ISS periodically to identify weak passwords (2.9)
  • The identity and association of a person with an account must be verified by prior to the password being reset (2.10)
  • Only recognised User-Representatives may request the password re-arm of a staff University user account, where the user has forgotten their password and is unable to attend the IT Help Desk. (2.10.1)