View Current

Password Procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This Procedure sets out Charles Sturt University's standards regarding Password and Personal Identification Number (PIN) management (including strength, quality, creation, protection, storage, re-use and re-setting) and maintenance.

(2) Passwords are the primary authentication credential used by the University's Information and Communication Technology (ICT) systems to verify the identity of individuals wanting to gain authorised access to ICT systems.

(3) Poor choice of passwords or poor password management may present unacceptable risk to staff, student and University information in the form of unauthorised disclosure or loss of integrity or information availability.

Scope

(4) This Procedure applies to all users including staff, students, visitors and associates of the University who:

  1. create and manage Passwords and/or PINs used to access the University's ICT systems for official University purposes;
  2. are responsible for managing a University ICT system account that supports or requires Passwords or PINs to access; and
  3. are responsible for systems that manage, transport and store University credentials used by individuals.

References

(5) This Procedure should be read in conjunction with:

  1. Information and Communications Technology Security Policy;
  2. Australian Government Department of Defence Information Security Manual 2016 Controls;
  3. Australian Access Federation Assurance Framework;
  4. Computing and Communications Facilities Use Policy;
  5. Data Security Classification Scheme;
  6. Misconduct - Student General Misconduct Rule; and
  7. Code of Conduct.
Top of Page

Section 2 - Glossary

(6) For the purpose of this Procedure:

  1. Budget Centre Manager - means the staff member with authority for a defined budget centre. Refer to the Delegations and Authorisations Policy.
  2. Applications Portfolio - means the University’s official register of application assets.
  3. Expired Password - means a password that cannot be used to authenticate because it has not been changed within the specified timeframe.
  4. Multi-factor Authentication - means the use of more than one authentication method for access to an application or system.
  5. Password - means a confidential string of characters used by individuals to allow access to a computer, ICT interface or system.
  6. Personal Identification Number (PIN) - means a secret number (usually four to six digits in length) known only to an individual. Used to confirm identity and gain access to an ICT system.
  7. Privileged Password - means an additional Password used by individuals or systems to authenticate access to administrative or higher level functions of an application or ICT system.
  8. Service Account Password - means a Password used by an account that an application or service uses to interact with an operating system, database or integration service and cannot be used for User or Privileged account functions.
  9. System or Application Custodian - means executive staff with recognised responsibility and ownership of University information or ICT assets as identified in the CSU Application Portfolio; or for non-registered systems, the primary Budget Centre Manager that has established the non-registered system.
  10. User - means staff, students, vendors, visitors, partners and associates of the University who access University ICT systems and services.
  11. Username - means a unique series of characters used to identify a user to allow access to a computer, ICT interface or system. Username is also sometimes referred to as login name.
  12. User Password - means a Password held by an individual to authenticate standard user access to a University application or ICT system.
Top of Page

Section 3 - Policy

(7) Refer to the Information and Communications Technology Security Policy.

Top of Page

Section 4 - Procedures

Responsibilities

(8) The Division of Information Technology is responsible for the provisioning, storage and management of centralised password datasets used for authentication to applications and ICT services listed in the University’s Applications Portfolio.

(9) Users are responsible for:

  1. Password creation, use and management, associated with University credentials; and
  2. Reporting any actual or suspected Password compromises to the IT Service Desk if staff or Student Central if a student.

(10) Application Custodians of systems not listed in the University’s Applications Portfolio or not using centralised authentication systems are required to comply with this Procedure regarding the provisioning, storage and management of password datasets used for authentication.

(11) Exemptions to this Procedure must be approved in writing from the Executive Director, Division of Information Technology.

(12) At the discretion of the Executive Director, Division of Information Technology, ICT systems that do not comply with this Procedure may be removed from operation until compliance can be demonstrated or exemption approved.

Password Strength

(13) All Passwords are classified as Highly Confidential as per the University’s Data Security Classification Scheme.

(14) User Password strength and complexity is based on the minimum requirements as defined by the Australian Access Federation Assurance Framework - Level 2.

(15) All User Passwords must be at least eight characters in length consisting of at least three of the following:

  1. lowercase alphabetic characters (a-z);
  2. uppercase alphabetic characters (A-Z);
  3. numeric characters (0-9); or
  4. special characters ($%#).

(16) Privileged and Service Account Password strength and complexity are based on the requirements as defined in the Australian Government Department of Defence Information Security Manual 2016 Controls.

(17) All Privileged and Service Account Passwords must be at least eleven characters in length consisting of at least three of the following:

  1. lowercase alphabetic characters (a-z);
  2. uppercase alphabetic characters (A-Z);
  3. numeric characters (0-9); or
  4. special characters ($%#).

(18) Passwords as part of Multi-factor Authentication must be a minimum of six alphabetic characters with no complexity requirement.

(19) Passwords must be difficult to guess and not be a single dictionary word.

(20) Passwords must not be the same as, or a variation of, the associated Username.

(21) Personal Identification Numbers (PIN) must be difficult to guess and not a repetition of the same digit.

(22) Passwords must be unique and not the same as Passwords used for non-University accounts such as personal social media accounts, personal emails accounts and online banking.

(23) ICT systems must be configured to enforce complexity and dictionary strength requirements.

(24) When ICT systems cannot be configured to enforce Password strength requirements, Passwords must be checked by alternative means to ensure compliance with this Procedure.

Password Changing

(25) To minimise disruption to services, Passwords should be changed prior to Password expiry.

(26) User Passwords must expire after 120 days.

(27) Privileged Passwords must expire after 90 days.

(28) Service Account Passwords must expire after 180 days.

(29) There is no Password expiry requirement for students, excepting those students who are Higher Degree Research (HDR) students with access to additional services and/or those who are also staff members. For these students User Password expiry requirements outlined in this Procedure apply.

(30) Passwords must not be re-used for six consecutive changes.

(31) Passwords cannot be changed by the authorised user more than twice a day.

Password Use and Storage

(32) Passwords and PINs are only to be used by an individual and must not be:

  1. shared with anyone under any circumstances; or
  2. written down or recorded in physical or clear text electronic format.

(33) If the confidentiality of a Password or PIN is in doubt, it must be changed immediately.

(34) If the confidentiality of a Password or PIN has been compromised, DIT will:

  1. lock the associated account;
  2. advise the credential holder; and
  3. manage the associated risk.

(35) The use, storage and/or transport of plain text Passwords is prohibited.

(36) Authentication systems must not store Passwords or PINs in a viewable or recoverable format.

(37) A record of all credential registration, history, status and revocation must be kept for seven years and six months after expiration or revocation (whichever is later).

Applications and Systems

(38) To facilitate compliance with this Procedure, the University's applications and systems must utilise centralised enterprise authentication systems where practical.

(39) Forgotten, expired or locked-out Passwords must be re-set and not recovered.

(40) Authentication mechanisms must disable User and Privileged Accounts for a period of 30 minutes after five consecutive failed authentication attempts and notify the account holder.

(41) Authentication mechanisms must disable and notify the owner of Service Accounts after two consecutive failed authentication attempts.

(42) Authentication mechanisms involving the use of passwords must use secure, strong encryption protocols in the transport of credential information.

(43) Applications must provide role management to allow one user to undertake the functions of another without the need to share Passwords.

(44) Failure to comply with this Procedure that occurs as a result of deliberate, malicious or negligent behaviour may result in disciplinary action as per the University's misconduct process.

Top of Page

Section 5 - Guidelines

(45) Nil.