Information Security Password Standard

Table of Contents

 

Purpose

This document outlines the password standard that protects University of Guelph systems and data, while at the same time allowing the University to accomplish its teaching and learning objectives. As passwords are the primary mechanism used to protect systems and applications, this document describes the University’s requirements for password complexity and proper management practices to reduce the risk of password tampering, theft, and misuse. It is expected that all members of the University of Guelph community will abide by these standards.

The standards and guidelines below apply to all account holders (students, staff, and faculty) unless otherwise indicated.

 

Password Best Practices for All Account Holders

Account holders must protect the security of their account passwords by managing them in a responsible and secure manner. Below are some best-practices for password selection and management.

  • A good password has the following properties:
    • It is easy to remember;
    • It is long and complex enough to resist automated guessing and brute-force attacks; and
    • It is only used for a single purpose or service.
  • Your University central login account password should never be shared or revealed to anyone, by any means. Supervisors and CCS will never ask you for it. 
  • You should consider using a password manager application to generate, organize, and store all your passwords. For additional information, visit Information Security's guide to password managers.
  • Modern web browsers offer the ability to remember passwords for websites. Information Security strongly recommends disabling the ability for your browser to remember passwords as there are known methods of exploiting this functionality and could be putting your accounts at risk. For example, this feature can be disabled in Chrome by following this support article.
  • If you detect any unusual activity on your account or system, change your password immediately and notify the CCS Help Centre (Ext. 58888 or IThelp@uoguelph.ca).

 

Password Complexity

A complex password lowers the risk of the password being guessed or cracked by someone with malicious intent. In general, a password's strength will increase with length and by adding additional complexity.

The minimum password complexity requirements for University of Guelph central login accounts are as follows:

  1. Password length must be between 10 and 30 characters long
  2. Passwords must contain characters from 3 of the following four character sets:
    • English lowercase letters (a-z)
    • English uppercase letters (A-Z)
    • Numbers (0-9)
    • Special characters including $ ( ) ! + - _ . = { }  (The following special characters are not allowed < > ' " ; , @ \ % & `)
  3. Passwords should not contain identifying information such as central login ID, first name, last name, date of birth, student number, employee number, or Open Learning Program (OLP) number.
  4. Passwords must not contain dictionary words
  5. Previous account passwords should never be reused.

Increased password length and complexity is required for administrative accounts with elevated privileges.

 

Password Expiry

While University of Guelph passwords do not currently expire, Information Security recommends that users change their University password once per year. IT Administrators or those with additional access to sensitive or confidential information should change their password more frequently, such as every 6 months.

 

Account Locking

Central Login Accounts are temporarily locked after a number of failed login attempts to prevent brute-force password attacks.

In accordance with the University of Guelph Acceptable Use Policy, the Information Security team monitors internal systems and external threat intelligence sources for signs of malicious activity and will lock accounts under certain circumstances. As an example, if an account holder provides their University of Guelph email address to register for online service and that service provider suffers a data breach, that University account may be locked to prevent unauthorized access.  For this reason, Information Security advises against using your email address with services that are for personal use and/or not related to their University work or studies.

At any time, if you suspect that someone else has learned your password or has accessed your account, you should change your password immediately and contact the CCS Help Centre (Ext. 58888 or IThelp@uoguelph.ca).

 

Shared Organizational Accounts (Staff)

Shared accounts should be used only when absolutely necessary. There are typically more secure methods available to solve a business need without the use of an account with a shared password. For example, in lieu of sharing the password to a departmental mailbox, delegation should be used to provide access to those who require it.  The use of a shared account for any online activities creates issues for accountability and audit. 

Accounts used by more than one individual, such as organizational accounts, must have a clearly identified owner and must follow the password standard. It is further recommended that passwords for these accounts are created using greater complexity and are changed whenever there are staffing changes.  Owners of such accounts are strongly encouraged to use a password manager tool to provide additional security and auditability, to keep an accurate inventory, and to create complex and unique passwords.

For questions about shared accounts or to explore other available options, contact the CCS Help Centre (Ext. 58888 or IThelp@uoguelph.ca).

 

Requirements for Systems Administrators (Staff)

System administrators have a greater responsibility to create, store, and transmit passwords in a secure manner.  They should also use stronger authentication and authorization mechanisms to control access to systems, applications, and accounts.

Passwords must be set on all University systems, including but not limited to servers, routers, switches, and other networking infrastructure. 

The following additional standards will apply to system administrators, except where technically and/or administratively not possible:

  • The principle of least-privilege should always be used with respect to access to administrator-level accounts. If possible, elevated permissions should be granted in a granular fashion using a facility such as sudo.
  • Default passwords on new hardware and in applications must be changed immediately, and must never be connected to the University network prior to being changed.
  • Use the Central Single Sign-On Service instead of creating local accounts where possible. Any information system that provides web-based services to students, faculty, and/or staff, should use the central single sign-on service. Using this service provides for both better security and a better user experience. 
  • Passwords for servers must be changed as personnel changes occur, including contractors. Otherwise they should be changed every 6 months or earlier.
  • Passwords for super user accounts, such as root and Administrator, must meet a higher complexity standard. It is strongly recommended that these passwords exceed 13 characters and be randomly generated.
  • Administrator accounts must only be used to administer operating systems and not for day-to-day user activities. If possible, these accounts should be disabled or renamed.
  • Administration teams are strongly encouraged to use a password management tool to facilitate secure sharing of passwords amongst team members with audit logging enabled. This type of tool also facilitates the tracking and approval of password requests.
  • Systems should be configured to lock out accounts after a series of incorrect login attempts to prevent brute-force attacks. These failed attempts should be logged and those logs reviewed on a regular basis.
  • If a privileged account is suspected to have been compromised, the password for that account must be changed immediately and CCS Information Security informed.
  • Accounts on University systems should never be configured to allow a user to login without a password. i.e. no anonymous logins are permitted.
  • Access to administrator-level accounts must be logged and maintained for a period of at least 12 months. These logs should be reviewed on a regular basis for anomalies. 
  • Log files should never contain password or other sensitive information.
  • If multi-factor authentication is available to administrator-level accounts, it should be used.
  • Passwords must never be stored in clear text.

 

Requirements for Application Developers (Staff)

In addition to the password standards listed above, application developers have the additional responsibility of ensuring that their applications are receiving, storing, and transmitting passwords in a secure manner. The following additional standards will apply to application developers, except where technically and/or administratively not possible:

  • Application developers shall, whenever possible, develop applications that require secure protocols for authentication.
  • Use the Central Single Sign-On Service instead of creating local accounts and storing passwords where possible. Any information system that provides web-based services to students, faculty, and/or staff, should use the central single sign-on service. Using this service provides for both better security and a better user experience. At a minimum, application developers should make use of the central identity directories on campus for authentication. Contact the CCS Information Security team if you require assistance.
  • If password storage cannot be avoided, application developers shall ensure that applications do not store passwords in clear text or an easily decrypted format. The currently recommended secure standards for password hashing are bcrypt, scrypt, or pbkdf2.
  • Applications shall support unique user accounts and passwords so that individual users are not required to share a password in order to use the application.
  • All software login screens are required to mask passwords that are being entered.
  • Generic responses should be provided to users for failed login attempts, producing simple error messages such as "Access denied". A standard error response minimizes clues available to hackers in the event of an attack.
  • Passwords must never be hard-coded in software developed by or modified by employees. For example, fixed passwords must not be stored in readable form in programs, batch files, automation scripts, automatic logon scripts, or software macros. 

 

Forgotten Passwords

Users are strongly encouraged to register for the Password Reset Self-Service Tool, which allows them to reset a forgotten password through the use of personal security questions.

If a password has been forgotten and the user has not registered for password reset self-service, they should contact the CCS Help Centre (Ext. 58888 or IThelp@uoguelph.ca). The requestor will never be asked to provide their current or old password. Students will be asked to provide personal identifying information in order to verify their identity. For staff and faculty, a vouching process is required to guard against impersonation and social engineering.  For staff and faculty, we will ask you to have a departmental IT administrator, manager, or executive assistant who can physically vouch for your identity, email us with the password reset request on your behalf. In lieu of vouching, CCS will reset a password upon presentation of picture ID at our IT Help Desk. 

The CCS Help Centre can only reset passwords on certain systems. For some systems or applications, the system or application owner may need to be contacted to perform a password reset. For some systems, there is a delay between the time that the central login password is reset and the new password is available for login.

 

Standard Enforcement

In accordance with the University of Guelph Acceptable Use Policy, Information Security reserves the right to suspend, restrict, or deny access to the University network for a user or system based on security concerns. 

 

Glossary of Terms

  • Central Directory Service - In the context of this document, central directory service can represent our LDAP directory or Active Directory for user authentication. Please see the LDAP service page for more information.
  • Central Login Account - A Central Login Account is a centralized identity that consists of a central login ID (username), password, and identifying information about a University member or group. Central login IDs and passwords are the credentials used for accessing most University online services. More information can be found on the Central Login service page.
  • Single Sign-On Service (SSO) - The University Single Sign-On (SSO) service allows users to authenticate with their username and password once which provides them access to multiple U of G services without requiring you to retype your credentials. More information on the service can be found on the Single Sign-On service page.
  • University of Guelph Systems - In the context of this document, "University of Guelph systems" refers to any server, workstation, application, or service which makes use of central login usernames and passwords for user authentication. For example, this would include GryphMail, CourseLink, and shared CFS storage.

 

CCS Information Security
Last Updated: May 21, 2020