1. General Statement
The OH-TECH computing environment requires passwords in place to help protect access to sensitive layers of the network infrastructure and protected data. The intentions behind publishing a password policy are not to impose restrictions that are contrary to the established culture of openness, trust, and integrity inherent to our organization, but rather to create a commitment to protecting our organization’s resources from potential damage. Since OH-TECH systems are subject to multiple policy-setting organization including The Ohio State University and the State of Ohio Board of Regents, this policy attempts to balance multiple password recommendations by adopting a policy that is equivalent to the strongest applicable recommendations.
2. Purpose
The purpose of this policy is to provide guidelines for the use of Passwords for secure access to sensitive infrastructure and information.
3. Scope
This policy applies to all OH-TECH employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing Passwords to access OH-TECH managed equipment. In addition, employees must be aware of and adhere to password policies of the State of Ohio1 and/or Ohio State University2 as applicable to the individual or system concerned.
4. Enforcement
Any employee found to have violated this policy might be subject to disciplinary action, up to and including termination of employment.
5. Two-factor Authentication
At the direction of management, OH-TECH may require two-factor login to certain critical or sensitive systems or data. This login is above and beyond the requirements for passwords, and should follow NIST 800-63, Electronic Authentication Guidelines3. Issuance of two-factor credentials is subject to approval of OH-TECH management.
6. Single sign-on
Wherever possible, all OH-TECH systems should authenticate users to OH-TECH Identity Management by LDAP, SSO, or Federated Identity.
7. Public/Client-facing systems
Wherever possible, public/client-facing systems that require logins should use Federated Identity to perform trusted login via the user’s client institution.
8. Password Policy
Your password:
Must be at least 10 characters long.
Must contain a character from three out of five of the following groups:
Uppercase letters A-Z
Lowercase letters a-z
Numbers 0-9
Symbols ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
Unicode Any Unicode character that is categorized as an alphabetic character but not uppercase or lowercase. This includes Unicode characters from Asian languages.
Must not contain your name (account name or real name) or any part of it.
Should not be found in a dictionary.
Incorrect passwords:
After 5 incorrect password attempts, your account will be locked for 5 minutes before you can try your password again.
Password changes:
You must change password every 90 days.
You must never reuse passwords.
You must not attempt to change password more than once a day.
You should change your password through Outlook Web Access (OWA) over SSL or Ctrl-Alt-Delete (on Windows); if locked out, you should contact the Help Desk.
9. Exceptions and Systems with limited capability
Where systems do not have the above login capabilities, they should still follow the same password policy as above. Where systems are prevented from implementing this policy for technical, cost, or performance reasons, they should implement passwords at least as strong as this policy (measured in entropy). Any exceptions to the above must be approved by management, subject to risk analysis.
10. References:
1State of Ohio Password Policy:
http://www.privacy.ohio.gov/LinkClick.aspx?fileticket=3aFM0Pz7OeU%3d&tab...
2Ohio State University Password Policy:
http://ocio.osu.edu/itsecurity/buckeyesecure/passwords/
3US NIST Recommended Security Controls for Federal Information Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-53/rev-3/archive/2010-05-01
US NIST Guide to Enterprise Password Management (Draft) https://csrc.nist.gov/csrc/media/publications/sp/800-118/archive/2009-04-21/documents/draft-sp800-118.pdf
(February 14)
