I:03:09 Implementation of Secure Passwords

I. PURPOSE

The purpose of this policy is to ensure the security and confidentiality of network login passwords to MTSU's information systems. This policy pertains to all University students, staff, faculty, alumni, and other individuals associated with the University that require access to the University's information systems.

This policy is designed to provide clear guidance for the creation and maintenance of network access passwords. This policy covers network logins for the FSA network domain and the PipelineMT login server.

II. POLICY DEVELOPMENT AND MAINTENANCE

This policy was drafted by the Information Technology Division Office of the CIO and shall be reviewed by the Office of the CIO on at least an annual basis and any revisions shall be submitted for approval.

III. SCOPE

This policy applies to all University students, faculty and staff, affiliates, third-party support contractors, and all others granted access to MTSU information assets through a FSA domain account or PipelineMT login server account.

IV. PROCEDURE

Good, strong passwords help secure the MTSU computer network. Without strong passwords, networked computers can be compromised. Once compromised, the MTSU network and all other connected machines also become vulnerable. The ITD Help Desk will assist network users with the creation and maintenance of their network logins.

A. Mandatory Requirements: Listed below are the mandatory requirements and guidelines you must follow when selecting a FSA domain or PipelineMT login server password:

1. Password must be changed at least annually.

2. Minimum password length is 8 characters (can contain more).

3. Passwords must not match user name (ex: jsmith01)

4. Passwords must not match your name. (ex: Jacksmith)

5. Passwords cannot use the words MTSU, password, change, or temporary.

6. Passwords must contain THREE out of the following FOUR items:

a. At least 1 uppercase character

b. At least 1 lowercase character

c. At least 1 numeric digit

d. At least 1 special character - example : #, %, {, ?, +, etc.

B. Recommended Best Practices: In addition to the requirements list above, the following are also strongly recommended:

1. Passwords should never be shared, written down, or e-mailed to others.

2. Passwords should be easy to remember (for you, not others!). The temptation to use loved ones' names, birthdays and anniversaries is great. But "easy to remember" can also become "easy to guess." And, in a world where hackers use sophisticated software to crack passwords, an easy password is an open invitation. The challenge is to create something that is memorable for you but tough for others to decipher.

3. Passwords should be changed if there is a chance that it has been compromised. The MTSU FSA domain and the PipelineMT login server password will be changed at least once per year and should be changed if there is any possibility that it has been heard or seen by anyone else.

4. Don't use typical patterns on the keyboard. Some people will use passwords that meet complexity requirements, but are created by typing certain keys in sequence. An example is 1qaz!QAZ Notice that this is constructed by hitting the same four keys on the keyboard, then hitting them again with the <SHIFT> key held down. These patterns are now part of the standard dictionary attacks, so don't be tempted to use them.

V. TIPS FOR CREATING STRONG PASSWORDS

While complexity is important, length is also a key component. If your password meets complexity requirements with sufficient length, then hackers can't use standard dictionary-based tools to crack your password. They must resort to brute force attacks. This is where long passwords are much harder to crack. Here are some examples of complex passwords that are long, yet easy to remember.

I-love-my-mother [this password has an uppercase letter, a lowercase letter, and a symbol (the dash)]

Exceptional...mediocrity [the capital letter, lower case, and the dots meet the complexity requirements]

4score&sevenyearsago [the numeric digit, lower case, and the ampersand meet the complexity requirements]

If you want to check the strength of your password (how hard it is to crack with a dictionary-based attack), go to this website: http://www.passwordmeter.com/

If you want to check how long it will take to crack your password by brute force, go to this website: https://www.grc.com/haystack.htm

The first example, I-love-my-mother, gains a 100% score of Very Strong at the Password Meter, and will take at least 23.89 million centuries to crack using a massive array of computers. That's a pretty good password!

However, please don't use these examples (or very close approximations) for your password. Create your own password using some or all of the techniques to ensure that it is truly unique.

Revisions: January 17, 2013 (original).