The University is committed to using strong passwords to protect our computing and networking resources.
This page is
simply a summary of this policy and wording should not be used in place of the official policy. For any clarification,
please contact the EITS Help Desk.
Click any statement to reveal the official text and commentary where available.
Expand All
View Printable Version
Scope
All user accounts issued by UGA or used to access UGA resources are bound by this
policy, including MyIDs, applications, servers, and workstations.
This policy applies to MyID and all other computing accounts provided to UGA
employees, staff, faculty, students, and other personnel employed by or
associated with the University. This policy is not limited to the Athens campus,
but applies to any access, remote or local, to any computing resources
administered by UGA.
Password Construction
Passwords must have at least eight characters, including letters, numbers, and
.
Words found in any dictionary should be avoided. Both upper and lower case letters
should also be used. A pass phrase, where the first letter of each word in a
phrase is used, may be helpful. Passwords should be easy for you to remember but hard to guess.
For further suggestions, visit the
Password Guideline.
Passwords must have a minimum of eight alphanumeric and special characters; if
a particular system will not support eight characters, then the maximum number of
characters allowed must be used. Passwords will not be composed of one or more
dictionary words in any language, human or artificial.
One method to create an easily remembered password is to base it upon the
first character of a phrase such as, "I Went Downtown To Buy 3 Items Today."
The password would be Iwdtb3iT. As this is a known password do not use it.
More password construction guidelines can be found in Appendix A of this
document, Password Guidelines.
Password Management
Passwords must be changed at least twice a year
Users must change their passwords at least twice (2x) per year with the new
password incorporating at least 3 changed characters.
Passwords should be memorized and not stored in an unsecured or unencrypted place,
such as in a desk drawer or a computer file. Do not allow unencrypted
computer applications to remember passwords.
- Passwords should be memorized.
- Passwords must not be stored in a manner which allows unauthorized access.
For example, writing the password down and attaching it to the monitor or placing
it in a desk drawer or under the keyboard is unacceptable.
- Passwords must not be remembered by unencrypted computer applications such
as email. Use of an encrypted password storage application is acceptable, although
extreme care must be taken to protect access to said application.
Computers must not be configured to login without a password.
Computers must not be configured to login without a password. Exceptions
may be granted for specialized devices such as kiosks which have extremely
restricted accounts. Whenever possible, computer labs should be designed to
authenticate each user individually for accountability purposes.
Use different passwords for UGA accounts than for personal, or non-UGA accounts.
Especially avoid passwords for accounts that do not use encrypted log in methods.
Users must change their passwords at least twice (2x) per year with the new
password incorporating at least 3 changed characters.
Never e-mail passwords, never request passwords in e-mail. Any written down
passwords should be locked up if stored, or destroyed once memorized.
Passwords must not be transferred or shared with others unless authorized to do so.
- Passwords must not be transferred electronically over the Internet
using insecure methods. Insecure methods include Post Office Protocol
(POP), Internet Mail Access Protocol (IMAP), File Transfer protocol
(FTP), Hyper-Text Transfer Protocol (HTTP), and Telnet.
- When it is necessary to disseminate passwords in writing, the recipient
will take measures to protect the written password from unauthorized access.
For example, after memorizing the password, one must destroy the written record.
- When transmitting a password orally, take measures to ensure that the
conversation is not overheard by unauthorized individuals.
Any password potentially disclosed or accessed through unauthorized means
must be changed promptly. Any passwords that change hands, such as new
accounts or existing accounts with new users, should also be changed.
If any of the following events occur, a password change will be mandatory:
- Unauthorized password discovery or usage by another person
- System compromise (unauthorized access to a system or account).
- Insecure transmission of a password, for example via email or instant
message. (Even an email transferred via secure Post Office Protocol (POP) or
Secure Internet Message Access Protocol (S-IMAP) could be compromised at the
Simple Mail Transport Protocol (SMTP) level or read while in your inbox
change the password anyway.)
- Accidental disclosure of password to an unauthorized person
- Replacement of account user with another individual requiring access
to the same account
- Password is provided to IT support staff in order to resolve a
technical issue (It is strongly recommended that IT support staff
request an end-user password as a last resort.)
- A password is provided to the end-user and the system administrator
knows the password. For example, the system administrator provides a new
account password or has to reset an account password.
System Administrators
When issuing passwords, make sure only the intended end-user knows it. Systems
must also be hardened against password cracking. Use automated methods against
brute force attacks and log all failed login attempts.
System administrators, or those serving that role, may need to create and
disseminate passwords to others. Whenever possible, use a method of password
creation that provides the password only to the intended end-user.
System administrators must harden their systems to deter password cracking:
- An automated method to mitigate brute force password attacks must be used.
For example, some systems will lock an account for a few minutes after several failed
login attempts, or detect where the attack is coming from and block further attempts
from that location, or at minimum alert the system administrator in real-time that
an attack is underway so that manual action can be taken.
- Logging must be set up to record all failed login attempts and preferably
successful attempts as well.
Application Developers
Applications should only use secure authentication methods, avoid password sharing,
and avoid storing passwords (especially in clear text).
- Application developers must develop applications using secure authentication
methods, whenever possible.
- Application developers should avoid creating applications which store passwords.
If password storage cannot be avoided, application developers must ensure that
applications do not store passwords in clear text or employ a readily decrypted
form.
- Applications should support unique logins. Additionally, role management
(e.g. system administrators, network administrators) should not require password
sharing.
Whenever capable, applications should use the UGA MyID and password for authentication,
instead of creating a unique ID. MyID logins must be properly encrypted. In cases
where MyID authentication is not possible, use existing services such as RACF or Kerberos.
Applications, whenever capable, should use the UGA MyID and its associated password for
authenticating a member of the UGA community instead of creating another unique ID or
username. Only use the MyID in a secure fashion, i.e., no unencrypted logins. In special
cases where the use of the MyID/Password is not a capability, use existing UGA
authentication services such as RACF or Kerberos.
Well known or public identification information must not be used as a password for
authentication. Ex: names, usernames, 810 or CAN, or SSN.
Applications must not use well known or publicly posted identification information
as a password for authentication. Names, usernames such as the MyID, and ID numbers
such as the 810 or CAN are all examples of identification information that should not
be used as a password in an application.
