SLAC Computer Security
Search SLAC
Password Policy

To access SLAC accounts, associated data, computing and network resources, SLAC requires use of a secure password that meets its password requirements.

Exceptions

Any exceptions to this policy must be submitted in writing, with a business justification, to and approved by SLAC Computer Security Officer or designee.

Background

Each user of SLAC's information resources is responsible for all usage of the accounts under their purview. Although far from perfect, the access to those accounts, along with associated data, computing and network resources is controlled by requiring the user to enter a password. The password must comply with the password requirements below. Passwords should not be shared.  It is important to select a good password to keep it from being easily guessed.

Types of Systems at SLAC

Important systems (Accelerator Controls, Business Information Systems) have separate requirements for passwords providing access to their systems. Your password for each of these systems should be different than any of your other passwords and it is strongly suggested you use a different algorithm for selecting these passwords. These passwords should be more difficult to guess, and should be changed after you access the systems from outside the SLAC internal network (some of these systems are not accessible outside the internal network) or any time someone in the workgroup moves to a different area of responsibility or terminates their affiliation with SLAC. Certain areas or job functions may require more frequent password changes.

Research systems (the Unix farms, the SLAC Windows Domain, and non-Controls VAX/VMS systems) all have roughly the same level of security and there are reasonable productivity advantages from using the same password for all these systems. The password used for these systems should different than that used for non-SLAC accounts you may have access to. (Most recent security incidents are the result of having the same password on external accounts which were compromised.)

Productivity systems (voicemail, modem dialup) should have different passwords than those systems above. Password policies for these systems vary widely and cannot reasonably be made congruent.

General Password Requirements

The password requirements are:

When you change passwords, it is recommended you change them on the most restrictive system first and then make the change on the less restrictive systems. Unix and VAX/VMS systems are the most restrictive systems for selecting a password, followed by Windows.

(1) If your password expires, your account will be disabled.  You will need to contact Account Services to change your password and re-enable your account.

Note: Password requirements for accounts for the various computer systems may have more stringent requirements. E.g. Oracle passwords will follow the general password guidance, except that they are case insensitive. Therefore the password must contain a combination of letters, numbers, and special characters. When changing your password the underlying system may test for compliance, e.g. using cracklib, before accepting the new password.

The requirements on changing passwords have been made to conform as closely as possible, but there are still variations. Please be aware that Unix-style utility programs such as 'ftp' and 'telnet', as well as some client e-mail software for POP and IMAP, can send the clear-text of your password across the network.

If the password is not obfuscated automatically then you must manually clear the password off the screen ASAP.

Link to Password Change Instructions

Owner: SLAC Computer Security
Last Updated: 01/05/2012
Feedback: Please send to
Computer Security Feedback