II-2 University Passphrase Policy (FINAL DRAFT)

Overview

Version 2.0 (FINAL DRAFT)
Last Revision Date: July 6, 2017
Approval Date: January 12, 2018
Approval Authority: CWRU Chief Information Security Officer

Purpose

The purpose of this policy is to establish minimum standards for protection, complexity (strength) and refresh interval for university passphrases. Individual users are responsible to protect their account credentials, and individual accountability and the principle of least privilege are applied in this policy.

Coordination with Other Policies and Procedures

The CWRU Information Technology Strategic Plan 2016

Policy I-1 Acceptable Use of Information Technology (AUP)

References

NIST Special Publication 800-63B

NIST Passphrase Guidelines

Cancellation:

This policy cancels and replaces these policies:
III-2 Case UTech Password Change Policy
III-2a University Password Change Policy

Policy Statement

General

Case Western Reserve University relies upon the use of university-provided credentials (CWRU Network ID and passphrase) to provide authentication for access to online university information technology (IT) resources. In particular, passphrases constitute the first line of a layered defense program, functioning as the 'keys' users have, to gain access to university information and information systems. The potential for compromise of user authentication credentials leads to an elevated risk of compromise to the confidentiality, integrity, and availability of university IT systems and information. All users are bound by the Acceptable Use of Computing and Information Technology Resources Policy (AUP) to take appropriate measures, as described in this policy, to create and secure their passphrases.

Policy

Individual Accountability

All users of CWRU IT systems are individually assigned credentials (CWRU Network ID and passphrase) for the purpose of identification for access to online systems. In accordance with the CWRU Acceptable Use Policy, users are individually accountable for activities performed with their credentials. Passphrases are to be protected and not shared with others.

Requirements for Passphrase Strength

Longer passphrases are inherently more secure because it takes an attacker longer to guess them when employing brute force tools.

  • Passphrases must be a minimum of 16 characters in length
  • The maximum passphrase length is 127 characters
  • A combination of any two of the following conditions are suggested*
    • Lower case
    • Upper case
    • Numbers
    • Special Characters, including spaces
  • Random word sequences are optimal, given that they are easy to remember. For example, "correct horse battery staple" would be a compliant passphrase
  • Password entropy tests will be performed to ensure password strength

All production system level passphrases for Internal Use or Restricted data will be part of the University’s centrally administered account management system and shall follow the guidelines set forth above.

*Restrictions: Passphrases may not contain the userID, the user’s first or last name, or the user’s social security number.

Passphrase Refresh (Age)

CWRU has Multi-Factor Authentication (MFA) available for university IT systems. Users who are enrolled to use MFA will are not required to change their passphrase on a timed basis.

For users without MFA, passphrases shall be changed annually to reduce the impact of disclosure due to undetected theft or the sharing of passphrases.

  • All user-level passphrases (e.g. email, web, desktop computer, etc.) for users with access to Internal Use and Restricted information systems must be changed annually.
  • Users may change their passphrase more frequently, or when they suspect their account may have been compromised.
  • Minimum passphrase history is 5 to discourage passphrase re-use when mandatory changes are applied (such as in the case of an account compromise).
  • The recommended minimum passphrase age is 1 day.

Upon turnover of staff (change of personnel, rotation of job duties, etc.) system level passphrases that are affected by such turnover will be changed within 7 days of the staff turnover. If extenuating circumstances exist, a risk-based decision will be coordinated between the appropriate Department Manager/Business Officer and the Chief Information Security Officer.

If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the user shall immediately take steps to change and protect the passphrase. When [U]Tech becomes aware of account credential compromise, notification by [U]Tech is made to the affected user. If a user suspects that his or her credentials may have been compromised, [U]Tech is to be advised as soon as is possible by contacting the CWRU Help Desk.

Passphrase Reuse

CWRU users shall not reuse their CWRU passphrases for other online or cloud-based applications or accounts (e.g. social media).

General Passphrase Protections for Network Logins

User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique passphrase from all other accounts held by that user.

All authentication mechanisms shall use encryption (e.g. SSL or TLS) to protect the login session.

Applications that request a user ID and passphrase shall not display the passphrase in the data entry field.

User social security numbers (SSN) shall not be part of any login credential (userID or passphrase).

Responsibility

Managers and supervisors are responsible for implementation, adherence, and feedback regarding this policy.

All faculty, staff, students, alumni, and affiliates are responsible for the protection of their credentials. The standard which CWRU sets in this policy speaks to the university community in general about the importance of stewardship and protection of the confidentiality, integrity, and availability of CWRU systems and data.

Definitions

Compromise: When anyone other than the assigned user knows the user’s credentials.

Credentials: The combination of a Network User ID (e.g. abc123) and a passphrase.

Kerberos principal: The underlying Network mechanisms in the IT authentication infrastructure that credentials use for authentication.

Multi-Factor Authentication (MFA): Sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows a user to present two pieces of evidence –user credentials –when logging in to an account. User credentials fall into any of these three categories: something you know (like a passphrase or PIN), something you have (like a smartphone with an MFA application), or something you are (like your fingerprint). The university has deployed a MFA feature to secure user account access.

Passphrase Entropy: A measure of the resistance of a passphrase to automated, brute-force guessing attacks.

Passphrase lifetime: The time, in days, that a passphrase is in effect. A minimum passphrase lifetime of one day will mean that a user must wait until the next calendar day before it can be changed (a technical control to prevent passphrase 'recycling'). A maximum passphrase lifetime of 180 days, for example, is the time interval after which the passphrase must be changed.

Principle of Least Privilege: The practice of limiting access to the minimal level that will allow for normal functioning. This means we give people the lowest level of user rights that they can have and still do their faculty or teaching jobs or to function as required as students.

Policy conflict: When one policy counters another policy. For example, if localized requirements demand changing passphrases on a 30 day maximum passphrase lifetime, this shorter time frame will take precedence over the 180 day requirement.

System level passphrase: A passphrase used by Systems Administrators or other employees with elevated access levels to university information systems. This definition includes root level and administrator level account credentials.

Standards Review Cycle

This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.