Password management control procedure
Defining the university’s approach to password management.
Password management
Contents
Policy statement
This control procedure defines the university’s approach to password management, and directly supports the following policy statement from the Information Security Policy:
“Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role, only to a level that will allow them to carry out their duties.”
“A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed, and will include consideration of multiple factors as appropriate.”
“Specific controls will be implemented for users with elevated privileges, to reduce the risk of negligent or deliberate system misuse. Segregation of duties will be implemented, where practical.”
Audience
This procedure is intended to be read and understood by all users of university IT systems. It is of particular relevance to IT administrators responsible for managing authentication systems.
Control statements
The university will use passwords, passphrases or other secret authentication information to protect user accounts, in order to maintain the security of information.
Information systems should not require staff to share accounts or passwords to get their job done.
Deliberate disclosure of a university password or attempts to discover another user’s password are disciplinary offences, subject to the university’s disciplinary or performance improvement procedures.
These controls are designed to protect against both opportunistic and focused attack. Ease of use will be balanced with security.
- Password management
- Password reuse
- Biometrics
- Multi-factor authentication
- Knowledge-based authentication (KBA)
Password management
In line with guidance from the UK’s National Cyber Security Centre, the University promotes the use of length rather than character sets to achieve complexity. This makes it more likely that the password will be resistant to common attacks, but remain memorable for the user.
Good advice on password management can be found at the following sites:
National Cyber Security Centre
A useful technique for creating strong but memorable phrases is to pick three or four random words and concatenate these to form a long text string. Even better is to think of a sentence or phrase, which is more likely to include punctuation and capitalisation.
However, passwords should not be easy to guess for those who know or can research you. So, you should avoid discoverable information such as significant dates, names and places.
Regardless of the expiry period set by a system, if a user has any reason to believe that their password has been compromised, they should take immediate action to change the password to minimise any further risk to their account, and contact the IT Helpline.
If a student or member of staff forgets their password, they can reset it using the secure, self-service password reset facility or by contacting the IT Helpline. IT staff will only change a password and unlock an account once they are satisfied that the individual making the request is who they claim to be.
The university supports the use of self-service reset tools where available, and specifically Microsoft’s Self Service Password Reset service (SSPR). These should be configured to reasonably verify the identity of the requestor, preferably via a token-generating service such as Google Authenticator rather than requiring information known to the requestor.
The university’s primary access management system is Microsoft Active Directory. This allows a fine-grained password policy for each of the different user types connecting to the network.
The university will prohibit the use of common passwords even where these meet the requirements of the Active Directory fine grained password policy. This is achieved by checking against a blacklist of common passwords revealed following data breaches. This helps to mitigate the risk of dictionary attacks against University systems.
Service accounts and root passwords should be set once with strong passwords consisting of at least 16 characters and changed immediately if they are believed to have been compromised. All default passwords should be reset during implementation.
New account passwords are configured to the following settings, and subsequent resets should meet these requirements. All new passwords should be changed at first log-in.
Student |
Staff |
Admin |
SAP |
Service |
Test |
|
Password Complexity |
Enabled |
Disabled |
Enabled |
Enabled |
Disabled |
Disabled |
Password History Length |
12 |
12 |
20 |
5 |
12 |
12 |
Minimum Password Length |
8 |
16 |
16 |
8 |
16 |
16 |
Minimum Password Age |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
Disabled |
Maximum Password Age |
425 |
730 |
90 |
30 |
10000 |
90 |
Lockout Threshold |
10 |
50 |
5 |
3 |
5 |
50 |
Lockout Observation |
5 |
30 |
30 |
Indefinite | 30 | 15 |
Lockout Duration |
10 |
30 |
30 |
User requires manual unlock | 30 | 30 |
Password reuse
Passwords should not be reused across services/systems, otherwise a compromise associated with one account could lead to the trivial compromise of others. If you do suspect that an account has been compromised and you have reused passwords, you should change your password on all potentially affected accounts.
As a minimum, it is required that users do not reuse their University systems password on any other account; it is essential that university accounts are not put at risk by password reuse in a user’s personal life.
The university supports the use of password management systems to help ensure that the numerous passwords required by most people can be complex and still memorable/accessible. Please contact the information security team for further advice.
Default passwords must be changed when new systems are implemented. These passwords are often in the public domain or discoverable via the physical device, so represent a significant weakness in security.
Biometrics
The university supports the use of biometric authentication where this is supported by the hardware and software handling the authentication. Implementations of biometric authentication should be discussed with the information security team.
Multi-factor authentication (MFA)
The university mandates the use of multi-factor authentication for systems and levels of access that represent a higher risk. This is especially valuable for internet-facing systems where the University cannot control the device being used to access the system. The university mandates registration for MFA services for all users, and reserves the right to require MFA depending on conditions, which may change at short notice.
Knowledge-based authentication (KBA)
Where possible, the university will avoid the use of KBA – questions like ‘What school did you go to?’ or ‘What is your mother’s maiden name?’ – when confirming identities, due to the ease with which such information can be discovered.
Compliance
Failure to comply with this procedure could result in action in line with the university’s Disciplinary Procedure or Performance Improvement Procedure.
Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the university’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.
Version | 4.2 |
Release date: | 06/11/2023 |
Review date: | 06/10/2024 |