目的
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. 一个选择不当的密码可能会导致蒙奥图校园数据网络的妥协. 像这样, all 蒙特中音 campus employees (including contractors, 临时人员, 以及可以访问任何/所有蒙奥图校园技术系统的供应商)有责任采取适当的步骤, 如下所述, to select and secure personal passwords. 此策略的目的是为创建强密码建立标准, the protection of those passwords, and the frequency of change.
范围
本政策的适用范围包括所有拥有或负责位于任何蒙奥图校园设施内的任何系统上的帐户(或任何形式的数据通信访问)的人员, 能通过本地或远程连接进入蒙托大学的校园数据网络吗, or stores any non-public campus information.
注:全体教员, 教职员工和学生都受ITS管理欧博体育官网访问帐户的政策约束. Those policies can be viewed at http://ovpit.salamzone.com/legacy/be-safe/password-policy.html
定义
Application Administration Account - Any account that is for the administration of an application (e.g., Server Root Access, Web Server administrator).
TACACS + —终端门禁控制器门禁系统认证协议
半径 —远程认证拨入用户服务认证协议
X.509 —使用KEA (key Exchange Algorithm)的认证协议
LDAP - An Internet standard protocol for accessing directory information. LDAP stands for Lightweight Directory Access Protocol
VPN —虚拟专用网—为在不安全的网络中传输数据提供安全的隧道
政策
一般
- All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed quarterly.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. The recommended change interval is every three months.
- 通过组成员关系或程序(如UNIX下的“sudo”)授予系统级特权的用户帐户, 或在Windows下以“运行身份”的密码必须与该用户持有的任何其他帐户使用的密码不同.
- 不得在电子邮件或其他形式的电子通信中插入密码.
- 使用SNMP的地方, 社区字符串必须定义为标准默认值“public”以外的东西,“private”和“system”,必须与交互登录时使用的密码不同. A keyed hash must be used where available (e.g.SNMPv2).
- 所有用户级和系统级密码必须符合下面描述的准则.
的指导方针
一般 Password Construction 的指导方针
Passwords are used for various purposes at the 蒙特中音 campus. Some of the more common uses include: user level accounts, 网络账号, 电子邮件帐户, 屏保保护, 语音信箱密码, 本地路由器登录. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
- The password contains less than eight characters
- The password is a word found in a dictionary (English or foreign)
- The password is a common usage word such as:
- Names of family, pets, friends, co-workers, fantasy characters, etc.
- The user’s ID, or subset thereof.
- 计算机术语和名称,命令,网站,公司,硬件,软件.
- The words "蒙特中音 campus," "MA," "
" or any derivation. - 生日和其他个人欧博官网app下载,如地址和电话号码.
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
- Any of the above spelled backwards.
- Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
- Contain both upper and lower case characters (e.g., a-z, a-z)
- Have digits and punctuation characters as well as letters (e.g., 0-9, ?,./">!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
- Are at least eight alphanumeric characters long.
- Are not a word in any language, slang, dialect, jargon, etc.
- Are not based on personal information, names of family, etc.
- Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. 一种方法是根据歌曲标题、肯定词或其他短语创建密码. 例如, 短语可以是:“这可能是一种记忆方式”,密码可以是:“TmB1w2R。!" or "Tmb1W>r~" or some other variation. NOTE: Do not use either of these examples as passwords!
Password Protection Standards
不要使用与其他非蒙特中音校园访问帐户相同的密码(例如.g., personal ISP account, option trading, benefits, etc.). 在可能的情况下,不要使用相同的密码为不同的蒙特中音校园访问需求. 例如, 为蒙特中音校园分配的个人电脑或笔记本电脑选择一个密码,为位于计算机实验室的个人电脑选择一个单独的密码. 另外,如果适用,请为Windows帐户和UNIX帐户选择单独的密码.
Do not share your password with anyone, including administrative assistants, 其工作人员, 或警务处. 所有密码都将被视为学校的敏感机密欧博官网app下载.
Here is a list of "do not’s":
- Don't reveal a password over the phone to ANYONE
- Don't reveal a password in an email message
- Don't reveal a password to a supervisor
- Don't talk about a password in front of others
- Don't hint at the format of a password (e.g.(“我的姓”)
- Don't reveal a password on questionnaires or security forms
- Don't share a password with family members
- Don't reveal a password to co-workers while on vacation
If someone demands a password, 请参阅本文件或向资讯科技署查询.
Do not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, AOL Instant Messenger).
再说一遍,不要把密码写下来,放在办公室的任何地方. 不要将密码存储在没有加密的任何计算机系统(包括Palm Pilots或类似设备)的文件中.
至少每六个月修改一次密码(系统级密码每季度修改一次除外)。. The recommended change interval is every three months.
If an account or password is suspected to have been compromised, 向资讯科技总监报告事件,并更改所有密码.
大学保安处可定期执行密码破解或猜测, 或资讯科技署. If a password is guessed or cracked during one of these scans, the user will be required to change their password.
Application Development Standards
内部应用程序开发人员必须确保他们的程序包含以下安全预防措施. 应用程序:
- should support authentication of individual users, not groups.
- 不应该以明文或任何容易逆转的形式存储密码吗.
- should provide for role management, 这样一个用户就可以接管另一个用户的功能,而不必知道另一个用户的密码.
- should support TACACS + , 半径 and/or X.509 with LDAP security retrieval, wherever possible.
Use of Passwords and 密码 for 远程访问 Users
通过远程访问访问蒙奥图校园网,需要对所有流量进行加密. 这可以通过使用一次性密码身份验证或使用具有强密码短语的公钥/私钥系统来建立. A VPN is an example of a public/private key system.
密码
密码短语通常用于公钥/私钥身份验证. 公钥/私钥系统定义了所有人都知道的公钥之间的数学关系, 私钥, that is known only to the user. 没有密码短语来“解锁”私钥,用户就无法获得访问权限.
密码 are not the same as passwords. 密码短语是密码的较长版本,因此更安全. A passphrase is typically composed of multiple words. 正因为如此,密码短语在抵御“字典攻击”时更加安全."
一个好的密码短语相对较长,包含大小写字母、数字和标点字符的组合. An example of a good passphrase:
“*?#>*@TrafficOnThe101Was*&#!今天上午#”
上述适用于密码的所有规则都适用于密码短语.
执行
任何被发现违反本政策的员工都可能受到其行政单位的纪律处分, 校园, 或大学.
交叉引用
Other policies that should also be referenced:
AD20 - Computer and Network Security
PSU-MA-ITS-000 – End User Computer Agreement
PSU-MA-ITS-004 – Acceptable Use and Security Policy
政策的历史
2009年6月5日批准