Policy 7.6 Passwords and Other Authentication
SCOPE: FACULTY, STAFF, STUDENTS, AND GUESTS
1. POLICY STATEMENTS
1.1. Information resources residing at or administered by LIT are strategic and vital assets belonging to the people of Texas. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires LIT to appropriately manage access to these information resources.
1.2. LIT shall afford an individual access to these resources in a manner consistent with the individual’s institutional affiliations and roles. Individuals shall access these resources only as necessary to fulfill their institutional roles and always in compliance with established laws, regulations, policies, and controls.
2.1. This policy applies to all LIT information resources and to all individuals whose affiliation with LIT requires or permits their access to those resources, without regard to the manner, form, or location of access.
3.1. In general, information systems at LIT require the use of passwords or PINs for authentication of identity. Other authenticators, such as smart cards or biometrics, may also be used upon approval of the ISO.
3.2. Passwords and other authenticators shall be treated as confidential.
3.2.1. If there is any indication that the confidentiality of a password or PIN may not have been maintained, it shall be changed immediately.
3.2.2. Compromised passwords or other authenticators shall be reported to LIT Information Technology immediately upon discovery.
3.3. Initial passwords and other authenticators shall be distributed in a secure manner.
3.4. Where possible, information systems shall be configured to require a change of initial passwords or PIN at first logon.
3.5. Password repositories must utilize a one-way encryption.
3.6. Lost passwords or PINs shall be replaced with temporary ones which are required to be changed upon first login.
3.7. The identity of the account holder shall be verified prior to replacing or changing a password or other authenticator.
3.8. Passwords and other authentication credentials shall be encrypted in storage and transit. Temporary passwords for the purpose of creating a new password or changing a password are excepted from this requirement provided they are singleuse passwords.
3.9. Based on risk assessment, certain information resources that contain sensitive or confidential information may require the use of two-factor authentication in which one factor is provided by a device separate from the computer gaining access.
3.10. Password change logs shall be maintained by custodians that issue passwords. The log entries should reflect the date and time of the password change, the User ID, and the information system associated with the changed password.
4. PASSWORD REQUIREMENTS – USER ACCOUNTS
All LIT information systems that require passwords shall be configured to enforce the minimum requirements in this section for user accounts.
4.1. Passwords must be case-sensitive.
4.2. Passwords must be at least eight (8) characters in length; longer passwords and passphrases are strongly encouraged.
4.3. Passwords must include at least one character from at least three (3) of the following character sets: • Uppercase characters (A...Z) • Lowercase characters (a…z) • Numeric characters (0…9)
4.4. Special characters or symbols (e.g.; !, @, #, $, %, ^, -, _)
4.5. Passwords may not include the associated User ID or the user’s first or last name.
4.6. Passwords cannot have been used previously with the associated User ID.
4.7. Passwords must be changed every 180 days. Systems administrators and custodians may require more frequent password changes, based on risk assessment.
4.8. Information systems shall be configured to enforce password expiration.
4.9. In the event that a legacy or administrative system is incapable of meeting all requirements for user passwords, alternative mitigating security controls shall be implemented in place of these requirements with approval from the ISO.
5. PASSWORD REQUIREMENTS – SERVICE ACCOUNTS
All LIT information systems that use service accounts with passwords shall be configured to enforce the minimum requirements in this section.
5.1. Passwords must be randomly generated.
5.2. Passwords must be at least 20 characters in length.
5.3. Passwords must include at least one character from at least three (3) of the following character sets:
• Uppercase characters (A...Z)
• Lowercase characters (a…z)
• Numeric characters (0…9)
5.4. Passwords meeting the requirements in this section do not expire unless the confidentiality of the password is in question or an individual knowing the password no longer has job duties requiring knowledge of the password.
5.5. In the event that the information system is incapable of meeting these requirements, they must meet the requirements for user passwords in Section 4. These passwords must expire after no more than one year
6. AUTHORITY AND RESPONSIBILITY
Questions related to this policy should be addressed to the IRM at firstname.lastname@example.org.