Roane State Community College
Policy Number: GA-18-09
Subject: Strong Password
The policies and procedures outlined in the following document apply to all Roane State Community College faculty, staff, students, visitors, and contractors. This policy applies to all academic, administrative, networking and microcomputer resources leased or installed at all Roane State Community College (RSCC) locations.
In addition to the policies listed below, all users are subject to existing state and federal laws along with institutional and Tennessee Board of Regents (TBR) regulations concerning the use of computers, email, and the Internet.
Password - A password is a string of characters used for authenticating a user on a computer system.
Privileged Account – Privileged accounts are those accounts with administrative or root access to a system and used for the administration of an application or database. Example: Oracle database administration, Banner, etc.
System Account - Accounts used for automated processes without user interaction or device management.
- Compliance with TBR Policies
To the extent a discrepancy exists between this policy and related TBR or state policy or law, TBR and state policy shall take precedence.
Passwords are an important aspect of computer security. They are the front line of protection for user accounts including network login, email accounts, and web accounts. Poorly constructed passwords may result in the compromise of Roane State’s entire network and its data. Given the threat to personally identifiable information, this policy is provided as one means to safeguard that information.
The purpose of this policy is to establish a standard for the creation, use and protection of passwords by Roane State faculty, staff, and students. This policy also sets forth the frequency of change required for passwords.
All users of Roane State information systems will have a unique user identification and password.
- User Passwords - Change all user level passwords (network logon, portal, etc.) every semester.
- Students are exempt from password changes required by this policy.
- Privileged Accounts – Users with privileged accounts must change their passwords every 60 days.
- System Accounts – System Account passwords are not required to expire, but must meet the password construction requirements defined in this policy.
- Vendor provided passwords must be changed upon installation using the construction standards in this policy.
- User accounts that have system-level privileges granted through group membership or programs such as “sudo” must have a unique password from all other accounts held by that user.
- Where Simple Network Management Protocol or SNMP is used, the community strings must be defined as something other than the standard defaults of “public,” “private” and “system” and must be different from the passwords used to log in interactively. A keyed hash must be used where available and technically feasible (e.g. SNMPv2 or v3).
- Passwords must not be sent by email messages or other forms of electronic communications. Exception: Sending an initial password that must be changed on login.
- All user-level and system-level passwords must conform to the guidelines for strong passwords as described later in this document.
- Password parameters will be set to prevent users from reusing the past ten (10) passwords.
- The minimum age duration for passwords will be one day.
- Password grace periods will be thirty (30) days during which the user will be warned the password is due to expire.
- Accounts will be locked after five (5) attempts. User must contact the Help Desk or Administrative Systems to reset.
- Faculty and staff desktops will be locked after 60 minutes of inactivity requiring a logon using their password.
- Lab computers will be logged out after 15 minutes of inactivity requiring users to logon using their password.
- Passwords must be changed immediately if any of the following events occur:
- Unauthorized password discovery or use by another person.
- System compromise… any unauthorized access to a system or account.
- Insecure transmission of a password.
- Accidental disclosure of a password to an authorized person.
- Status changes for personnel with access to privileged and/or system accounts.
- Guidelines - General Password Construction
- Weak passwords have the following characteristics:
- Contains less than eight (8) characters
- Is a word found in a dictionary (English or foreign)
- Common use words such as names of family, pets, friends, co-workers, fantasy characters, computer terms, commands, sites, companies, hardware, or software should not be used. Any of the above preceded or followed by a digit.
- Strong Passwords have the following characteristics:
- Contain a minimum of eight (8) characters consisting of three (3) of the following four (4) character categories. These will be enforced.
- English upper case characters (A-Z)
- English lower case characters (a-z)
- Base 10 digits (0-9)
- Non alphanumeric characters (~!#%*?_-) NOTE: Banner and Oracle have restrictions on the use of special characters. Do not use the following for such accounts: ` ‘ @ $ ^ & ( ) ; “ < >
- The following are recommended:
- Is not a word in any language, slang, dialect, or jargon, etc.
- Is not based on personal information.
- Use of Passphrases
Passphrases are longer versions (23 character minimum) of passwords and is therefore inherently more secure. A passphrase is typically composed of multiple words and therefore provides more security against “dictionary” attacks. An example is “This May Be One Way to Remember” and the passphrase could be “ThisMaybeOneWaytoRemember” or reduced to “TmB1w2R!” Another example: “IamtheCapitanofthePina4”. According to the National Institute of Standards and Technology (NIST) this passphrase of at least 23 characters contains a 45 bit strength.
Use of passphrases is encouraged as an alternative to passwords because they are generally easier to remember.
- Password Protection Standards
- Do not use the same password for Roane State accounts as used to access non-Roane State accounts (e.g., personal Internet Service Providers such as MSN, Yahoo, Google, trading accounts, banking accounts, etc.).
- Do not share your Roane State account information with anyone, including administrative assistants, secretaries, or supervisors. All passwords are to be treated as sensitive and confidential RSCC information.
- Here is a list of don’ts for password security:
- Don’t reveal a password over the phone to anyone.
- Don’t reveal a password in an email message. An exception is transmittal of an initial or reset password that must be changed upon access.
- Don’t reveal your password to your boss.
- Don’t talk about your password in front of others.
- Don’t hint at the format of your password… “my family name”, etc.
- Don’t reveal your password on questionnaires or forms.
- Don’t share your password with family members.
- Don’t give your password to someone when leaving for vacation.
- Don’t use the “Remember Password” feature in applications.
- Don’t write your password on a post-it-note, leave it under your keyboard, or leave it “hidden” somewhere in your office.
- Don’t store your password on another device such as a Personal Digital Assistant (PDA) or USB drive without encryption. You may use a password storage utility as long as it encrypts the stored data; in addition, ensure it is protected by a strong password.
- Report the incident to the Information Technology office immediately and change all passwords if you suspect your password has been compromised.
- The Office of Information Technology or its designee may periodically run password “cracking” or “guessing” utilities to assess the compliance of this policy. If the password is “guessed” or “cracked” during this scan, users must change passwords.
- Where technically feasible, provide role management such that one user can perform the functions of another user without having to know the other users password.
- Enforcement and Compliance
Any employee found in willful violation of this policy may be subject to disciplinary action. Justification for exceptions to this policy must be approved in writing by the president.
- Responsible Party
The Assistant Vice President of Information Technology and CIO shall be responsible for development and maintenance of this policy for issuance by the president.
Original Date Effective: 03/03/2014
Original Approval By: Christopher L. Whaley, President
Office Responsible: Executive Vice President for Business & Finance
© Roane State Community College
Roane State Community College is a TBR and AA/EEO employer and does not discriminate against students, employees, or applicants for admission or employment on the basis of race, color, religion, creed, national origin, sex, sexual orientation, gender identity/expression, disability, age, status as a protected veteran, genetic information, or any other legally protected class with respect to all employment, programs and activities sponsored by Roane State. View full non-discrimination policy.
Report Fraud, Waste and Abuse
Digital Millennium Copyright Act of 1998