GDL-3000.07A: Account Types and Passwords
GUIDELINE SUMMARY
Intended Audience: Information Technology Services (ITS) personnel responsible for creating accounts and password policies
Guideline Owner: Director of Information Security
All WWU employees have a unique account (“Western Account”) that serves as their primary identity. Users may have alternate accounts for performing privileged tasks, and systems may use service accounts for running services, automating tasks, and performing internal application functions. Account passwords have different requirements depending on their use. User accounts should never be shared between individuals.
Western Accounts
Western accounts are non-privileged. The passwords for non-privileged accounts must meet the following requirements:
- Be a minimum of 8 characters in length.
- Not contain the user’s name, User ID, or any form of their full name.
- Contain 3 of the following character types:
- Lowercase letter
- Uppercase letter
- Number
- Special character (e.g., !@#$%^&*?<>)
- Not consist of a single complete dictionary word but can include a passphrase.
- Be significantly different from the previous 24 passwords.
- Be forced to change after 183 days.
- Be configured to lock an account after 10 incorrect login attempts and stay locked for 30 minutes. Failed logon attempts can be reset after 30 minutes.
Privileged and Service Accounts
Passwords for privileged and service accounts must meet the following requirements:
- Be a minimum of 21 characters in length.
- Not contain the user's name, User ID, or any form of their full name.
- Contain 3 of the following character types:
- Lowercase letter
- Uppercase letter
- Number
- Special character (e.g., !@#$%^&*?<>)
- Not contain dictionary words.
- Be significantly different from the previous 24 passwords.
- Be configured to lock an account after 5 incorrect login attempts and stay locked for 30 minutes. Failed logon attempts can be reset after 15 minutes.
Privileged account passwords must meet the additional requirement:
- Be forced to change after 90 days.
For the complete guideline, click "Full Document" tab at top of page.
FULL DOCUMENT
Intended Audience: Information Technology Services (ITS) personnel responsible for creating accounts and password policies
Guideline Owner: Director of Information Security
1. Introduction
This guideline covers account types, naming conventions, and password requirements for controlling access to data, programs, and applications and the systems on which they reside such as workstations, servers, or network-attached devices.
2. Scope
This guideline applies to all ITS-managed data and information systems. Upon consultation with Western’s Director of Information Security, the following may be considered for exemption from this guideline: academic or research networks, or information systems that are not interconnected with covered Western networks or information systems.
3. Account Types and Passwords
OCIO 141.10: 6.1.2, 6.2
All Western Washington University (WWU) employees have a unique non-privileged account that serves as their primary identity. Many systems/applications utilize the Western identity for access, often providing a single sign-on experience. Some systems do not use the Western identity and have their own account databases (e.g., Banner). Users may have alternate accounts for performing privileged tasks; and systems may use service accounts for running services, automating tasks, and performing internal application functions. User account credentials should never be shared between individuals.
Username and password combinations should be classified as Confidential (Washington State Category 3) information. To protect a user’s identity, password requirements must be technically or procedurally enforced where possible. Passwords have different requirements depending on their use.
3.1 Non-privileged Accounts
OCIO 141.10: 6.2, 6.3.2.1
Passwords for non-privileged accounts must meet the following requirements:
- Be a minimum of 8 characters in length.
- Not contain the user’s name, User ID or any form of their full name.
- Contain 3 of the following character types:
- Lower case letter
- Upper case letter
- Number
- Special character (e.g., !@#$%^&*?<>)
- Not consist of a single complete dictionary word but can include a passphrase.
- Be significantly different from the previous 24 passwords.
- Be forced to change after 183 days.
- Be configured to lock an account after 10 incorrect login attempts and stay locked for 30 minutes. Failed logon attempts can be reset after 30 minutes.
3.1.1 Non-Privileged Account Naming Recommendation
ITS will enforce a naming convention on new accounts that may incorporate all or part of the user’s last name, their first initial, and an incremental number. ITS will provide an exception process for users who have a compelling reason to change their username.
3.2 Privileged and Service Accounts
OCIO 141.10: 6.2, 6.3.2.2, 6.3.2.3
Privileged accounts are used for device, system, database, and application administration. Examples are a switch administrator, an active directory domain admin, a server administrator, or an application security administrator. Service accounts are used to run system services or may be embedded in applications. Examples include the system accounts used to run a database or web server, or an account used by a web application to connect to a back-end database server.
Passwords for privileged and service accounts must meet the following requirements:
- Be a minimum of 21 characters in length.
- Not contain the user’s name, User ID, or any form of their full name.
- Contain 3 of the following character types:
- Lowercase letter
- Uppercase letter
- Number
- Special character (e.g., !@#$%^&*?<>)
- Not contain dictionary words.
- Be significantly different from the previous 24 passwords.
- Be configured to lock an account after 5 incorrect login attempts and stay locked for 30 minutes. Failed logon attempts can be reset after 15 minutes.
Privileged account passwords must additionally:
- Be forced to change after 90 days.
3.2.1 Managed Service Accounts Recommendation
When possible, Managed Service Accounts (MSAs) should be used. MSAs provide automatic password management and have potential other benefits, such as simplified service principal name (SPN) management and the ability to delegate the management to other administrators.
3.2.2 Privileged Account and Service Account Naming Recommendation
Privileged Active Directory Accounts for users follow the naming convention of username-a. Privileged Banner accounts use the naming convention BANSECR_username. Service accounts will be named to describe their service and function, with more detail provided in the description field of the accounts. For example:
Service Account: esignutil
Description: Esign attachment upload utility user
3.3 CJIS and PCI-DSS Accounts
OCIO 141.10: 6.2, 6.3.2.1, PCI-DSS 8.2.3-8.2.6, CJIS Security Policy 5.6.2
Accounts created for use with CJIS (Criminal Justice Information Services) and PCI-DSS (Payment Card Industry Data Security Standard) systems must meet the following requirements:
- Be a minimum of 14 characters in length.
- Not contain the user’s name, User ID, or any form of their full name.
- Contain 3 of the following character types:
- Lowe case letter
- Uppercase letter
- Number
- Special character (e.g., !@#$%^&*?<>)
- Not consist of a single complete dictionary word.
- Be significantly different from the previous 10 passwords.
- Be forced to change after 90 days.
- Be configured to lock an account after 4 incorrect login attempts and stay locked for 30 minutes. Failed logon attempts can be reset after 20 minutes.
3.4 Pass Codes for Mobile Devices
OCIO 141.10: 6.2(7)
Pass codes used to secure university-administered mobile devices must:
- Be a minimum of six alphanumeric characters.
- Contain at least three unique character classes. Pass codes such as 11111a or aaaaa4 are not acceptable.
- Not contain more than a three-consecutive-character run such as 12345a or abcde1.
3.4.1 Non-ITS Owned Device Pass Code Recommendation
The same pass code requirements used for university-administered mobile devices are recommended, but not required for devices that are either or both:
- Non-ITS owned.
- On networks isolated from administrative systems (e.g., guest wireless).
3.5 Passwords, PINs, and Pass Codes for Legacy Systems
OCIO 141.10: 6.2, 6.3.2.4
Some legacy systems will not support the ITS password, PIN, and Pass Code requirements as outlined in sections 3.1 - 3.4. For these systems, mitigating factors should be put in place, if possible, and those factors should be documented.
4. Auditing
OCIO 141.10: 6.1.4
To ensure system controls are effectively enforcing password policies, ITS must:
- Audit all password changes.
- Audit all changes to password policies.
- Periodically review audit logs.
5. Authority
- University Policy POL-U3000.07 - Securing Information Systems
- Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards
- Payment Card Industry (PCI) - Data Security Standard
- Federal Criminal Justice Information Systems (CJIS) Security Policy
6. References
Change Log
Revised | Version | Author | Approver | Change |
---|---|---|---|---|
01/08/2021 | 1.0 | Beth Albertson | ITS Standards & Guidelines Committee | Original Version |