Password standard policy

Policy

Intent and objectives

To establish password security controls appropriate for RMIT and which are to be implemented on any computer system providing an RMIT service.

To ensure that RMIT computer systems and network devices are configured with a minimum set of password controls.

To ensure that RMIT password controls provide an appropriate level of protection without hindering the work of students and staff.

To ensure that RMIT password controls will satisfy the expectations of the University’s internal and external auditors.

Scope

All computer systems and network devices that support an RMIT provided service and which use the combination of a username and a password for authentication, including:

  • Systems developed or acquired by RMIT
  • Systems developed for RMIT through outsourcing
  • Systems that are hosted externally and which provide a service for RMIT
  • Existing and new systems
  • Production and Test environments
  • User and non-user authentication. An example of the latter is when an application authenticates itself to a database

Examples of these systems are:

  • RMIT network service (eg. printer, server, email)
  • RMIT business applications (eg. EOL, SAP)
  • RMIT database (eg. Student database)
  • Operating system that supports RMIT applications & databases (eg. UNIX)

Exclusions

A dispensation process exists where compliance with this Standard cannot be met for valid business and/or technical reasons. Please refer to the RMIT Password Guidelines.

Provisions

This Standard prescribes the minimum password controls for RMIT information systems. Where a system owner believes that a stronger password control is necessary, such as requiring manual intervention to activate a disabled systems administrator account, then the system owner should implement the stronger control after discussing the impact with stakeholders.

At RMIT, passwords are used with three types of account:

1. Normal users

  • Users of an application or system who do not require special administration/operational privileges.

2. Privileged users

  • A user who by virtue of function, and/or seniority, has been allocated powers within the computer system which are significantly greater than those available to the majority of users. For example, a person who manages an application, database, system, or network device.
  • Root, Admin and high level accounts necessary for the operation of the system are considered privileged accounts.

3. Service accounts

  • Allocated to an application or system service, with special privileges. Not assigned to a person.

The Password controls and settings for each type of account are listed in the following section.

Password controls

1. Minimum number of characters in a password

  • Normal Users = 8 characters
  • Privileged users = 8 characters
  • Service Accounts = 12 characters

2. Maximum number of characters in a password

  • Normal Users = 25 characters
  • Privileged users = 25 characters
  • Service Accounts = 25 characters

3. Password history

  • Normal Users = 15 passwords
  • Privileged users = 15 passwords
  • Service Accounts = 15 passwords

4. Minimum password age

  • Normal Users = 0 days
  • Privileged users = 0 days
  • Service Accounts = 0 days

5. Maximum password age

  • Normal Users = 180 days
  • Privileged users = 180 days
  • Service Accounts = 365 days

6. Password Complexity

a. Normal Users and Privileged Users

  • Passwords must contain characters from three of the following four categories:
    • English uppercase characters (A through Z).
    • English lowercase characters (a through z).
    • Numeral digits (0 through 9).
    • Non-alphabetic characters: ~!@#$%^*_-+=`|\(){}[]:;"'<>,./ (with the exception of & and/or ? which are not supported by some systems)

Note: Cannot be one of your previous 15 passwords.

b. Service Accounts

    • Password must contain at least one lower case letter (a,b,c,…z)
    • Password must contain at least one numeral (0,1,2,…9)
    • Password must contain at least one special character

7. Intruder Lockout

a. Normal Users

    • Account is automatically disabled after 15 consecutive failed login attempts
    • Consecutive failed logins must occur within 30 minutes for intruder detection to activate
    • Login is disabled for 30 minutes. After the specified time elapses, the system re-enables login for the user account.

b. Privileged Users

    • Account is automatically disabled after 15 consecutive failed login attempts
    • Consecutive failed logins must occur within 60 minutes for intruder detection to activate
    • Login is disabled for 60 minutes. After the specified time elapses, the system re-enables

c. Service Accounts

    • Account is automatically disabled after 15 consecutive failed login attempts
    • Consecutive failed logins must occur within 240 minutes for intruder detection to activate
    • Login is disabled for 240 minutes. After the specified time elapses, the system re-enables

8. User must change his initial password at first login before granted entry

  • Applicable for Normal Users and Privileged Users
  • Not applicable for Service Accounts

9. Grace Logins

  • Normal Users = 14 days prior to expiry
  • Privileged users = 14 days prior to expiry
  • Service Accounts = 14 days prior to expiry

Responsibilities

Owners of systems and applications that are to be acquired or developed are responsible for ensuring these controls are in place prior to live implementation, unless a written dispensation has been obtained from the Deputy Director, ICT Infrastructure Delivery.

Owners of legacy applications or systems that cannot comply with one or more of these password controls for technical or business reasons should submit a dispensation request to the Deputy Director, ICT Infrastructure Delivery supported by a risk-based justification.

[Next: Supporting documents and information]