(1) This procedure supports the Information Technology Policy and sets out Charles Sturt University's (the University) standards regarding passwords and personal identification number management (including strength, quality, creation, protection, storage, re-use and resetting) and maintenance. (2) This procedure applies to all authorised users who: (3) See the Information Technology Policy. (4) Passwords are the primary authentication credential used by the University's ICT systems to verify the identity of individuals wanting to gain authorised access. (5) Poor choice of passwords and/or poor password management may present an unacceptable risk to staff, students and University information in the form of unauthorised disclosure, loss of integrity and/or information availability. (6) The Division of Information Technology is responsible for the provisioning, storage and management of centralised password datasets used for authentication to applications and ICT services listed in the University's Applications Portfolio. (7) Authorised users are responsible for: (8) Application custodians of systems that are not listed in the Applications Portfolio or not using centralised authentication systems are required to comply with this procedure regarding the provisioning, storage and management of password datasets used for authentication. (9) Exemptions to this procedure must be approved in writing by the Chief Information and Digital Officer. (10) At the discretion of the Chief Information and Digital Officer, ICT systems that do not comply with this procedure may be removed from operation until compliance can be demonstrated or an exemption approved. (11) Failure to comply with this procedure through deliberate, malicious or negligent behaviour may result in disciplinary action as per the University's misconduct processes. (12) All passwords are classified as Highly Confidential as per the University’s Data security classification scheme. (13) User password strength and complexity is based on the minimum requirements for single-factor authentication as defined by the Australian Government Information Security Manual (ISM). These minimum requirements will also be applied to systems and passwords using multi-factor authentication. (14) All passwords must meet the following requirements for strength and frequency of change: (15) Passwords for all accounts must be: (16) Passwords must not be re-used for six consecutive changes. (17) Passwords cannot be changed by the authorised user more than twice a day. (18) Personal identification numbers (PINs) must be difficult to guess and not a repetition of the same digit. (19) Passwords and PINs are only to be used by an authorised user and must not be: (20) If the confidentiality of a password or PIN is in doubt, it must be changed immediately. (21) If the confidentiality of a password or PIN has been compromised, Division of Information Technology will: (22) The use, storage and/or transport of plain text passwords is prohibited. (23) Authentication systems must not store passwords or PINs in a viewable or recoverable format. (24) A record of all account registration, history, status and revocation must be kept for seven years and six months after expiration or revocation (whichever is later). (25) To facilitate compliance with this procedure, the University's applications and systems must use centralised enterprise authentication systems where practicable. (26) Where it is not practicable to use the centralised enterprise authentication system: (27) Alternate authentication mechanisms that do not use passwords or PINs (e.g. biometric authentication, tokens, certificates) may only be used after consultation with and approval from the Chief Information and Digital Officer or delegate. (28) Forgotten, expired or locked-out passwords must be re-set and not recovered. (29) Authentication mechanisms must disable user and privileged accounts for a period of 30 minutes after multiple consecutive failed authentication attempts. (30) Authentication mechanisms involving the use of passwords must use secure, strong encryption protocols in the transport of account information. (31) Applications must provide role management to allow one authorised user to undertake the functions of another without the need to share passwords. (32) Nil. (33) This procedure uses terms as defined in the Information Technology Policy, as well as the following:Information Technology Procedure - Passwords
Section 1 - Purpose
Scope
Top of PageSection 2 - Policy
Section 3 - Procedures
Responsibilities
Password strength and changing
Account type
Password strength
Change frequency
Authorised user accounts
At least eight characters long and including at least three of the following:
Privileged user accounts
At least 11 characters long and including at least three of the following:
90 days
Service accounts
Same as privileged user accounts
180 days
Password use and storage
Applications and systems
Section 4 - Guidelines
Section 5 - Glossary
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
120 days