Call IT Support Email IT Support

Password Management

Defining the University’s approach to password management

Policy Statement

This control procedure defines the University’s approach to password management, and directly supports the following policy statement from the Information Security Policy:

Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role, only to a level that will allow them to carry out their duties.

A formal user registration and de-registration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed, and will include consideration of multiple factors as appropriate.

Specific controls will be implemented for users with elevated privileges, to reduce the risk of negligent or deliberate system misuse. Segregation of duties will be implemented, where practical.

Audience

This procedure is intended to be read and understood by all users of University IT systems. It is of particular relevance to IT administrators responsible for managing authentication systems.

Control Statements

The University will use passwords, passphrases or other secret authentication information to protect user accounts, in order to maintain the security of information.

Information systems should not require staff to share accounts or passwords to get their job done.

Deliberate disclosure of a University password or attempts to discover another user’s password are disciplinary offences, subject to the University’s Disciplinary Procedure.

These controls are designed to protect against both opportunistic and focused attack. Ease of use will be balanced with security.

  1. Password management 
  2. Password reuse
  3. Biometrics
  4. Multi-factor authentication
  5. Knowledge-based authentication (KBA)

1. Password management

In line with current guidance from the UK’s National Cyber Security Centre, the University promotes the use of length rather than character sets to achieve complexity. This makes it more likely that the password will be resistant to common attacks, but remain memorable for the user.

Good advice on password management can be found at the following sites:

Get Safe Online

Cyber Aware

National Cyber Security Centre

A useful technique for creating strong but memorable phrases is to pick three four random words and concatenate these to form a long text string. Even better is to think of a sentence or phrase, which is more likely to include punctuation and capitalisation.

However, passwords should not be easy to guess for those who know or can research you. This explains the common guidance to avoid discoverable information such as significant dates, names and places.

Regardless of the expiry period set by a system, if a user has any reason to believe that their password has been compromised they should take immediate action to change the password to minimise any further risk to their account, and contact the IT Helpline.

If a member of staff forgets their password, they can reset it using the secure, self-service password reset facility or by contacting the IT Helpline. IT staff will only change a password and unlock an account once they are satisfied that the individual making the request is who they claim to be.

The University supports the use of self-service reset tools where available, and specifically Microsoft’s Self Service Password Reset service (SSPR). These should be configured to reasonably verify the identity of the requestor, preferably via a token-generating service such as Google Authenticator rather than requiring information known to the requestor.

The University’s primary access management system is Microsoft Active Directory. This allows a fine grained password policy for each of the different user types connecting to the network. This currently consists of Students, Staff and Administrators.

The University will prohibit the use of common passwords even where these meet the requirements of the Active Directory fine grained password policy. Once implemented, this will be achieved by checking against a blacklist of common passwords revealed following data breaches. This will help to mitigate the risk of dictionary attacks against University systems.

Service accounts and root passwords should be set once with strong passwords consisting of at least 16 characters and changed immediately if they are believed to have been compromised. All default passwords should be reset during implementation.

New account passwords are configured to the following settings from early 2019, and subsequent resets should meet these requirements. All new passwords should be changed at first log-in.

 

Student

Staff

Admin

SAP    

Service

Test

Password Complexity

Enabled

Disabled

Enabled

Enabled

Disabled

Disabled

Password History Length

12

12

20

5

12

12

Minimum Password Length

8

16

16

8

16

16

Minimum Password Age

Disabled

Disabled

Disabled

Disabled

Disabled

Disabled

Maximum Password Age

425

730

90

30

10000

90

Lockout Threshold

10

50

5

3

5

50

Lockout Observation

5

30

30

  30 15

Lockout Duration

10

30

30

 User requires manual unlock 30 30

 

2. Password reuse

Passwords should not be reused across services/systems, otherwise a compromise associated with one account could lead to the trivial compromise of others. If you do suspect that an account has been compromised and you have reused passwords, you should change your password on all potentially affected accounts.

As a minimum, it is required that users do not reuse their University systems password on any other account; it is essential that University accounts are not put at risk by password reuse in a user’s personal life.

The University supports the use of password management systems to help ensure that the numerous passwords required by most people can be complex and still memorable/accessible. Please contact the Information Security Team for further advice.

Default passwords must be changed when new systems are implemented. These passwords are often in the public domain or discoverable via the physical device, so represent a significant weakness in security.

3. Biometrics

The University supports the use of biometric authentication where this is supported by the hardware and software handling the authentication. Implementations of biometric authentication should be discussed with the Information Security team.

4. Multi-factor authentication 

The University advocates the use of multi-factor authentication for systems and levels of access that represent a higher risk. This is especially valuable for internet-facing systems where the University cannot control the device being used to access the system.

5. Knowledge-based authentication (KBA)

Where possible, the University we will avoid the use of KBA – questions like ‘What school did you go to?’ or ‘What is your mother’s maiden name?’ – when confirming identities, due to the ease with which such information can be discovered.

Compliance

Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.

Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security teamr annually or more frequently as required, and will be approved by the Information Governance Board.

Information Security