Passwords

Type of Policy: 
Administrative
Effective Date: 
February 2011
Last Revised: 
January 2013
Review Date: 
January 2017
Policy Owner: 
Info Tech- Information Security
Contact Name: 
Jimmy Lummis
Contact Title: 
Information Security Policy and Compliance Manager
Contact Email: 
jimmy.lummis@oit.gatech.edu
Reason for Policy: 

This document is in direct support of the Georgia Institute of Technology Computer and Network Usage and Security Policy (CNUSP). This policy establishes the minimum requirements for generating and managing Georgia Tech user passwords used by operating systems, applications, databases, and network devices owned by or managed by Georgia Tech. The use of passwords is an important security practice, as passwords are used to authenticate users and are the first line of defense for user accounts. The intent of this policy is to protect access to Sensitive Data. This policy was developed and reviewed by members of the Georgia Tech technical community, including OIT, the campus IT Directors, department CSR’s (Computer Support Representatives), and the campus CSS (Computer Service Specialists) group.

Policy Statement: 
Password Policies

Protection of Passwords

Georgia Tech users must take all reasonable measures to protect their passwords and accounts.

Per the CNUSP, each user is accountable and responsible for any action taken with that user's account and password.

Password Complexity

Georgia Tech Users are required to use strong, complex passwords for user accounts on Georgia Tech systems.

The stronger and more complex the password, the less likely it is to be “cracked” by an attacker.

Password Expiration

Georgia Tech user passwords must be set to expire according to the requirements set forth in the Georgia Tech Password Standard.

 Changing passwords regularly helps to reduce the potential for a password being “cracked” by an attacker.

Reuse of Passwords

Users must not reuse their last three passwords when choosing a new password.

Users must not reuse their last three passwords when choosing a new password.  Additionally, password history checking on password systems should be enabled to prevent the reuse of the last three passwords of the user.
Scope: 

This Institute-wide policy applies to all accounts created on operating systems, applications, databases, network devices, and any other device that may require an account and password. BIOS passwords are excluded from this policy. If the computer, server, or network device being implemented cannot support password complexity, expiration, or reuse, then a policy exception request may be filed per the Information Security Exception Policy. However, users are responsible for adhering to the Password Standards for creating a strong password. Services covered by this policy include:

  • OIT-managed Kerberos
  • OIT-managed Georgia Tech Active Directory (GTAD)
  • OIT-managed Georgia Tech Enterprise Directory (GTED)
  • OIT or centrally-managed systems
  • Unit-managed systems
  • Network equipment
  • Enterprise databases
  • Any system containing sensitive data

The Institute recognizes that in some cases, research devices or equipment will not be able to adhere to the provisions of this policy. In these cases, the Unit may file a blanket Policy Exception request for groups or classes of devices. In some cases, these devices, equipment, or computers may require additional safeguards such as separation from the Unit’s production network.

Policy Terms: 

Password Complexity
Passwords with multiple types of characters including upper and lower case letters, numbers, and special characters (e.g. %$#@!).

Password Expiration
The date/time at which a password is no longer valid. For example, Georgia Tech account passwords “expire” after 120 days, at which time a user must choose a new password.

Password Strength
The measurement of the effectiveness of a password. Password strength is based on the length, complexity, and randomness of the password.

Password Length
The password length parameter is a basic parameter the value of which affects password strength against brute force attack and so is a contributor to computer security.

Password Randomness
Random passwords consist of a string of symbols of specified length taken from some set of symbol using a random selection process where each symbol is equally likely to be selected.

Procedures: 

The policy statements below apply to all Georgia Tech account holders and users of Georgia Tech IT (Information Technology) resources including but not limited to students, applicants, faculty, affiliates, staff and contractors.

Protection of Passwords
Georgia Tech user account passwords must never be transmitted over the network in a clear text format.
Passwords must be protected at all times, and measures must be taken to prevent disclosure to any unauthorized person or entity.
Password repositories must assure protection and integrity of passwords.
Application passwords must be protected and changed regularly, in the same manner as user accounts or system passwords.
Passwords must be protected during distribution to the end user.
Temporary passwords must be changed immediately upon completion of the assigned task.
Default passwords for new network devices, printers, operating systems, applications, and databases must be changed.
Users must never share or divulge their password to anyone. Georgia Tech will never ask a user to disclose their password for any reason including, but not limited, to via email and telephone.
Users should be able to change their own passwords. Users should not use Georgia Tech passwords for personal logins to external sites.
 Users should not use Georgia Tech passwords for personal logins to external sites.
Password Complexity

Password Complexity

Password complexity must be enabled on the technology being implemented where possible and meet the following standards:

Contain at least 11 characters

Contain characters from at least three of the following four character classes:
  • Upper case alphabetic (e.g. A-Z)
  • Lower case alphabetic (e.g. a-z)
  • Numeric (e.g. 0-9)
  • Special characters (e.g. .,!@#$%~)

If the technology cannot meet the minimum password complexity requirements, then the service manager must apply for an Information Security Policy Exception.

Bad Passwords

Users should be careful not to use the following examples when constructing a password:

 A password should NOT be:

  • A word found in a dictionary
  • A variation of the user’s name or user ID
  • A commonly known fact about yourself
  • A family member’s name or birth date
  • A pet’s name
  • A school or school mascot
  • Other personal information such as a social security number, bank PIN, or telephone number

Password Recommendations

Common recommendations for how to improve the strength of your password include:

 Use a pass phrase instead of a password and inter-mix numbers and special characters with letters

  • For example, $hak3 a L3g

Take a common quote and use the first letters out of the quote with the recommendations above

  • For example, “I spent too much at the fair last night” becomes I$2maelnn

 

Password History

Password history must be enabled on the technology being implemented where possible and meet the following standards

A password must not be one of the last three passwords previously used.

If the technology cannot meet the minimum password history requirement, then the service manager must apply for an Information Security Policy Exception.

Password Expiration

Expiration Settings
Expiration of passwords and password aging must be enabled on the technology being implemented where possible.

Temporary passwords for new accounts, temporary IDs, and password resets must be set to expire immediately, thus forcing users to change their password upon their next login opportunity.

User Accounts

All user account passwords must expire within 120 days.

For accounts that have a higher level of access and are accessible from off-campus, we recommend a shorter expiration date of 60 days or moving to a multi-factor authentication system. Accounts that would qualify include:

“Root” or “Administrator” accounts (or equivalent accounts)

Database Administrator accounts

Domain Administrator accounts

Service Accounts

Passwords for service (non-interactive) accounts must be changed every 365 days. If a compromise of the account is suspected, the password must be changed immediately.

Examples Include: Accounts used by scripts while they are running

Passwords & Research Equipment

Research Equipment
Research equipment with embedded operating systems, or research computers that are used to control equipment, including data acquisition instruments, are exempted from the provisions of this Standard as long as the Unit has filed a blanket policy exception request.

 

Policy Modifications

This policy may be changed by directive from the responsible university officer. The Computer & Network Security Procedures may be changed by directive from the Georgia Tech Associate Vice President and Associate Vice-Provost for Information Technology. Any changes to the policy or procedures must be promptly communicated to the individuals and offices noted in below under Communication.

Communication

Upon approval, this policy shall be published on the Georgia Tech website. The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:

  • Office Information Technology (OIT)
  • Campus Deans and Chairs
  • Unit Business/Administrative Leads
  • Georgia Tech IT Directors
  • ITAC
  • Campus CSR’s
  • Internal Audit
  • Office of Legal Affairs
Responsibilities: 

GT security policies and standards specify the minimum requirements that must be met throughout Georgia Tech’s IT environment.

RoleResponsibilities
OIT-ISGeorgia Tech’s OIT Information Security (IS) group is responsible for developing and maintaining this policy as well as facilitating regular reviews of this policy.
OITGeorgia Tech OIT has the authority to approve and recommend central password management solutions for campus. OIT is also responsible for setting the password mechanisms for the centrally managed campus services including but not limited to Kerberos, Prism, GTED, and GTAD.
UnitsGeorgia Tech Academic and Administrative Units are responsible for setting the password mechanisms on systems and devices that they maintain to conform to the Georgia Tech Password Policy and Standard. Where possible, Units should leverage the existing central password systems. Unit Heads are responsible for communicating the provisions of this policy to users of any system or application they administer.
UsersAre responsible for knowing and complying with this policy. Georgia Tech users (including students, faculty, staff, and student workers) are responsible for keeping their passwords safe and secure. This includes not sharing the password with other parties as well as not storing the password in an unsafe manner (e.g. writing it down on a piece of paper or storing it in an unencrypted computer file).
Enforcement: 

Compliance

All Georgia Tech faculty and staff that manage systems or devices that have user accounts and passwords are expected to abide by the provisions in this policy. Likewise, all Georgia Tech users with an account of any type are expected to abide by the provisions. Failure to comply with the provisions of this policy may result in loss of usage privileges or other administrative sanctions as referenced by the CNUSP.

Policy History: 
Revision NumberAuthor Description
1.0 Richard Biever Initial Draft
1.1 Richard Biever Review/Changes from ITAC
1.2 Richard Biever Initial Release
1.3 Jimmy Lummis Updated Procedures
Map of Georgia Tech

Compliance and Policy Management
760 Spring Street N.W. Suite 324
Phone: 404-385-0731