Description
Applicability
-
The intended audiences are university employees who are required to ensure that password-based authentication procedures are followed (e.g., unit heads, information resource owners and custodians); and, those individuals who need to be aware of the procedures (e.g., non-technical university employees, staff, faculty, student, guest, or visitor). This Control also applies to any other entity that uses university information resources that require authentication
Implementation
-
1
Passwords must be treated as confidential information:
-
1.1
If the confidentiality of a password is in doubt, the password shall be changed immediately.
-
1.1
-
2
Users must change default or assigned passwords where possible.
-
3
Passwords shall be protected both in storage and in transit.
-
3.1
When passwords are stored, they shall be encrypted using current Advanced Encryption Standard (AES) approved algorithms.
-
3.2
Passwords that must be transmitted shall be encrypted.
-
3.3
Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt provided it is a one-time transmission and the user must also change the password upon first logon.
-
3.4
Whenever possible, passwords should be stored as hashes instead of plain text passwords. Hashes should include current AES approved algorithms, be salted, and each salt should be varying across the account population.
-
3.1
-
4
Forgotten passwords shall not be reissued, but rather replaced with a new password.
-
5
If a user requests a password change, the identity of the user must be verified before the password is changed (see AC-2 Account Management):
-
5.1
The password must be changed to a temporary password; and
-
5.2
The user must change the temporary password at first logon (where applicable).
-
5.1
-
6
Where possible, passwords that are user selected shall be checked by a password audit system, including complexity features, that adheres to the criteria in Section 9.
-
7
When automated password generation programs are utilized:
-
7.1
Non-predictable methods of generation must be employed;
-
7.2
Systems that auto-generate passwords for initial account establishment must, where possible, force a password change upon entry into the system; and
-
7.3
Wherever possible, password management and automated password generation systems must have the capability to maintain auditable transaction logs containing information such as:
-
7.3.1
Time and date of password change, expiration, and administrative reset;
-
7.3.2
Type of action performed; and
-
7.3.3
Source system (e.g. IP and/or MAC address) that originated the change request.
-
7.3.1
-
7.1
-
8
If a password has been compromised, the event shall be reported as a security incident in accordance with Texas A&M Information Security Control IR-6 Incident Reporting.
-
9
Complexity for passwords used for authentication must meet at least one of the following requirements:
-
9.1
The password is a randomly generated with more than 2**39 possibilities and must be generated by a password method approved by the university Chief Information Security Officer. These types of passwords are often used for machine-to-machine interactions. This type of password never expires.
-
9.2
The password is a passphrase of 16 characters or more. This type of password never expires and has no complexity requirements.
-
9.3
If an authentication mechanism is not configured to accommodate the standards stated in Section 9.1 or 9.2, then passwords must:
-
9.3.1
Be at least eight characters in length;
-
9.3.2
Contain three of the following four groups of characters: lower case letters, upper case letters, symbols or numbers;
-
9.3.3
May not contain anything that can be easily associated with the account owner, such as: username, SSN, UIN, given names or nicknames, birth date, telephone number, etc.;
-
9.3.4
May not be a single dictionary word or an acronym regardless of language of origin;
-
9.3.5
May not be a repetitive sequence; and
-
9.3.6
Must expire after no more than one year.
-
9.3.1
-
9.1