Date Approved: May 22, 2020
Effective Date: May 22, 2020
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 2.1; Previous Version 2.0 dated January 12, 2020
Related legislation and University policies:
- Policy I-1 Acceptable Use of Information Technology (AUP)
- The CWRU Information Technology Strategic Plan 2016
Review Period: 3 Years
Date of Last Review: May 19, 2020
Related to: Faculty, Staff, Students, Alumni, affiliate account holders
Summary of this Policy:
Case Western Reserve University relies upon the use of university-provided credentials (CWRU Network ID and passphrase) to provide authentication for access to online university information technology (IT) resources. In particular, passphrases constitute the first line of a layered defense program, functioning as the 'keys' users have to gain access to university information and information technology systems. The potential for compromise of user authentication credentials leads to an elevated risk of compromise to the confidentiality, integrity, and availability of university IT systems and information. All users are bound by the Acceptable Use of Computing and Information Technology Resources Policy (AUP) to take appropriate measures, as described in this policy, to create and secure their passphrases.
Purpose of this Policy
The purpose of this policy is to establish minimum standards for protection, complexity (strength) and refresh interval for university passphrases. Individual users are responsible to protect their account credentials, and individual accountability and the principle of least privilege are applied in this policy.
Compromise: When anyone other than the assigned user knows the user's credentials.
Credentials: The combination of a Network User ID (e.g. abc123) and a passphrase.
Kerberos principal: underlying Network mechanisms in the IT authentication infrastructure that credentials use for authentication.
Multi-Factor Authentication (MFA): Sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows a user to present two pieces of evidence – user credentials – when logging in to an account. User credentials fall into any of these three categories: something you know (like a passphrase or PIN), something you have (like a smartphone with an MFA application), or something you are (like your fingerprint). The university has deployed a MFA feature to secure user account access.
Passphrase Complexity or Entropy: A measure of the resistance of a passphrase to automated, brute-force guessing attacks.
Passphrase lifetime: The time, in days, that a passphrase is in effect. A minimum passphrase lifetime of one day will mean that a user must wait until the next calendar day before it can be changed (a technical control to prevent passphrase 'recycling'). A maximum passphrase lifetime of 180 days, for example, is the time interval after which the passphrase must be changed.
Principle of Least Privilege: The practice of limiting access to the minimal level that will allow for normal functioning. This means we give people the lowest level of user rights that they can have and still do their faculty or teaching jobs or to function as required as students.
Policy conflict: When one policy counters another policy. For example, if localized requirements demand changing passphrases on a risk-based lifetime, this shorter time frame will take precedence.
System level passphrase: A passphrase used by Systems Administrators or other employees with elevated access privilege levels to university information systems. This definition includes root level and administrator level account credentials.
Managers and supervisors are responsible for implementation, adherence, and feedback regarding this policy.
All faculty, staff, students, alumni, and affiliates are responsible for the protection of their credentials. The standard which CWRU sets in this policy speaks to the university community in general about the importance of stewardship and protection of the confidentiality, integrity, and availability of CWRU systems and data.
NIST Special Publication 800-63B
NIST Passphrase Guidelines https://pages.nist.gov/800-63-3/
zxcvbn: Low-Budget Password Strength Estimation, 25th Usenix Security Symposium, 2016, https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_wheeler.pdf
All users of CWRU IT systems are individually assigned credentials (CWRU Network ID and passphrase) for the purpose of identification for access to online systems. In accordance with the CWRU Acceptable Use Policy, users are individually accountable for activities performed with their credentials.
Passphrases are to be protected and not shared with others.
Requirements for Passphrase Strength
Historically, passwords and passphrases have been easy to crack using brute-force guessing techniques unless certain passphrase complexity requirements have been imposed. CWRU will focus on a characteristic called passphrase complexity.
- Passphrases must pass complexity tests as a measure passphrase strength
- The minimum passphrase length shall be 12 characters
- While creating a new passphrase, the user will be given visual feedback on the complexity of the passphrase before it is permitted for use.
- Permitted passphrases must be deemed "OK" to "Excellent" as indicated by the complexity test (green status bar)
All production system level passphrases for Internal Use or Restricted data will be part of the University's centrally administered account management system and shall follow the guidelines set forth above.
*Restrictions: Passphrases should not contain the userID, the user's first or last name.
Passphrase Refresh (Age)
CWRU has Multi-Factor Authentication (MFA) available for university IT systems. Users who are enrolled to use MFA will are not required to change their passphrase on a timed basis.
For users without MFA, passphrases shall be changed annually to reduce the impact of disclosure due to undetected theft or the sharing of passphrases.
- All user-level passphrases (e.g. email, web, desktop computer, etc.) for users with access to Internal Use and Restricted information systems must be changed annually.
- Users may change their passphrase more frequently, or when they suspect their account may have been compromised.
- Minimum passphrase history is 5 to discourage passphrase re-use when mandatory changes are applied (such as in the case of an account compromise).
- The recommended minimum passphrase age is 1 day.
Upon turnover of staff (change of personnel, rotation of job duties, etc.) system level passphrases (e.g. admin, root, etc.) that are affected by such turnover will be changed within 7 days of the staff turnover. If extenuating circumstances exist, a risk-based decision will be coordinated between the appropriate Department Manager/Business Officer and the Information Security Office.
If the account credentials of a user or system are suspected to have been disclosed or otherwise compromised, the user shall immediately take steps to change and protect the passphrase from unauthorized use. When [U]Tech becomes aware of account credential compromise, notification by [U]Tech is made to the affected user. If a user suspects that his or her credentials may have been compromised, [U]Tech is to be advised as soon as is possible by contacting the CWRU Help Desk.
CWRU users shall not reuse their CWRU passphrases for other online or cloud-based applications or accounts (e.g. social media).
General Passphrase Protections for Network Logins
User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique passphrase from all other accounts held by that user.
All authentication mechanisms shall use encryption (e.g. SSL or TLS) to protect the login session.
Applications that request a user ID and passphrase shall not display the passphrase in the data entry field.
User social security numbers (SSN) shall not be part of any login credential (userID or passphrase).