|
|
SLAC Computer Security | ||
| SLAC Home | Computing Home | Computing Outages | Help | |||
Password PolicyEach user of SLAC's information resources is responsible for all usage of the accounts under their purview. Although far from perfect, the access to those accounts, along with associated data, computing and network resources is controlled by requiring the user to enter a password. It is important to select a good password to keep it from being easily guessed.
Most of the policy below is from the Cyber Security Protection Program (CSPP) approved by SLAC Computer Security Committee, CIO and DOE.
- Types of Systems at SLAC
Important systems (Accelerator Controls, Business Information Systems) have separate requirements for passwords providing access to their systems. Your password for each of these systems should be different than any of your other passwords and it is strongly suggested you use a different algorithm for selecting these passwords. These passwords should be more difficult to guess, and should be changed after you access the systems from outside the SLAC internal network (some of these systems are not accessible outside the internal network) or any time someone in the workgroup moves to a different area of responsibility or terminates their affiliation with SLAC. Certain areas or job functions may require more frequent password changes.
Research systems (the Unix farms, the SLAC Windows Domain, and non-Controls VAX/VMS systems) all have roughly the same level of security and there are reasonable productivity advantages from using the same password for all these systems. The password used for these systems should different than that used for non-SLAC accounts you may have access to. (Most recent security incidents are the result of having the same password on external accounts which were compromised.)
Productivity systems (voicemail, modem dialup) should have different passwords than those systems above. Password policies for these systems vary widely and cannot reasonably be made congruent.
- General Password Policies
The policies on changing passwords for the various computer systems have been made to conform as closely as possible, but there are still variations. Please be aware that Unix-style utility programs such as 'ftp' and 'telnet', as well as some client e-mail software for POP and IMAP, can send the clear-text of your password across the network.
When you change passwords, it is recommended you change them on the most restrictive system first and then make the change on the less restrictive systems. Unix and VAX/VMS systems are the most restrictive systems for selecting a password, followed by Windows.
The password policies are:
- Maximum age of 180 days or 6 months;
- Minimum of 8 characters;
- Cannot be dictionary words, your name, your account name, or common strings;
- Use 3 of 4 charsets (upper, lower, number, special);
- Memory of 5 previous passwords;
- Lockout of account after 5 bad passwords in a 5 minute interval for a period of 30 minutes;
- Cannot be an incremented password based on a small change to an existing password;
- At least three characters must be changed in the password (requirement for Oracle passwords).
Oracle passwords will follow the general password guidance, except that they are case insensitive. Therefore the password must contain a combination of letters, numbers, and special characters.
If the password is not obfuscated automatically then you must manually clear the password off the screen ASAP.
- Password Change Instructions
Owner: SLAC Computer Security |