UC Santa CruzInformation Technology Services
Home About ITS Service Catalog News and Events Policies and Guidelines IT Governance ITS Staff Site ITS Job Opportunities ITS Frequently Asked Questions ITS Feedback Form
A-Z Index | Find People

Information Security Team
Communications Building
1156 High Street
Santa Cruz, CA 95064
Phone: (831) 459-HELP

SECURITY Home
Technical Alerts
Tips, Tricks and Tools
Detecting a Breach
Reporting an Incident
Prevention
Anti Virus
Policies
Security Services
Additional Resources
Security Training
Best Practices
Restricted Data Resources
About Our Team

Other UCSC Links:
UCSC Home
MyUCSC
ResNet
UCSC Library
AIS Home

Maintained by secweb@ucsc.edu
Last Reviewed on Oct 26, 2004

© 2008 The Regents of the University of California

 

UCSC Password Strength and Security Standards

Please use printer friendly version in the case of browser display problems.

| Introduction | Password Strength Standards | Password Security Standards | Additional Practices for Service Providers | System Requirements and Standards | Getting Help |

Printer-friendly version (PDF, 300K)

 

INTRODUCTION

Passwords are an important part of computer security at UCSC. They often serve as the first line of defense in preventing unauthorized access to campus computers and data. Because of this, it is important to choose passwords that are complex and cryptic enough to prevent others from guessing them or from cracking them with “password cracker” programs. At the same time, it is also important to keep passwords secret and secure so others can’t use them or find them. These Standards are intended to provide information and guidance about how to create good, cryptic passwords and how to keep them secure and confidential.



PASSWORD STRENGTH STANDARDS - How to create good, cryptic, hard-to-guess-or-crack passwords

  1. Passwords should either:

    Be at least eight (8) characters in length and contain at least 3 of the following 4 types of characters:

    • lower case letters (e.g. a-z)
    • upper case letters (e.g. A-Z)
    • numbers (e.g. 0-9)
    • special characters (e.g. !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./)

    - or -

    Be a passphrase at least 10 characters in length.

    • A passphrase is a complex password based on a memorable phrase, song or book title, line of poetry, etc.  For example, the phrase "This May Be One Way To Remember" could have the associated password "TmB1w2R!" or some other variation.
    • Hint: Passphrases are harder to crack if they don’t always use the first letter of each word.

    Note: Passwords for systems or applications that cannot support the above standards should be longer (if possible) and incorporate the maximum complexity the system or application can support.


  2. In addition, passwords should:
    • Not be a word found in the dictionary (in any language), whether spelled forwards or backwards, or a word preceded or followed by a digit (e.g., secret1, 1secret)
    • Not include user name or login name
    • Avoid including personal information, names of family, places, pets, birthdays, address, hobbies, license plate number, etc.
    • Avoid words that are slang, dialect, jargon, etc.
    • Avoid common keyboard sequences, such as "qwerty89" or "abc123"

  3. More tips for creating good passphrases:
    • Phrases shouldn't be too common (2bor!2b is pretty common). 
    • A phrase that has personal meaning but might not appear widely is perhaps best.
      • For example, the first line of your wedding vows (if you wrote them yourself) would be memorable but not widely available. 
      • A random line from your favorite movie is good too. 
    • Combining phrases is better still.
    • Don’t use passphrases you have seen in print as examples.

PASSWORD SECURITY STANDARDS - How to keep your passwords secret and secure:

  1. Do not share your passwords with anyone else, or in any way publish them.

  2. Passwords should not be written down.
    • Whenever possible, change passwords to something you can easily remember.
      • One way to do this is to create a passphrase (see above for more information).
      • Once you have a good, strong, memorable password or passphrase, you can come up with a system to modify it slightly for each system or application. Then you only have to remember your base password and your system.
    • If you have to write a password down, try to write it in a way that others won't be able to decypher (such as using a hint for part of it) -- and store it securely in a safe, unlikely-to-be-discovered location (e.g. not under the keyboard or on your monitor).
    • Passwords can also be securely stored in PasswordSafe. [1]
      • Note: Passwords providing access to PasswordSafe should meet the minimum strength and security standards stated in these Standards.

  3. If you think your password may have been compromised, notify the ITS Support Center (see GETTING HELP, below) and your supervisor.

  4. Change passwords provided for initial access or password resets as soon as possible. These passwords can be extra vulnerable.
    • Information for doing this should be provided with the password. If it is not, contact the person or office issuing the password for instructions.

  5. Don’t let your applications, browser, or keychains remember passwords that provide access to sensitive systems or data.
    • That way if someone gets access to your computer, they don’t also get access to all of your accounts.

  6. Whenever you change a password, change it to something different.

  7. Use different passwords for accounts that provide access to restricted data than for your less-sensitive or personal accounts.
    • For additional security, use a different password for each account that provides access to sensitive data; that way if one of your passwords is compromised, your others are still OK.

  8. Ensure that passwords are transmitted securely.
    • Make sure that web pages have https (not http) in the web address (URL) before you enter a password. If they don’t, request a secure web page you can use to log in.
    • Make sure that any applications you log into on your computer (such as email) are set for secure authentication, if possible.


ADDITIONAL REQUIREMENTS FOR SERVICE PROVIDERS

  1. Passwords provided as initial passwords or password resets should meet the UCSC Minimum Password Requirements. "Changeme," "admin," and other common passwords found in password crackers should not be used.
    • Passwords provided as initial passwords or password resets also should not be a fixed password or a published/easy-to-figure-out formula that, if discovered, could be used to gain unauthorized access to a system or application.

  2. Service providers should ensure that end users are aware of the above password strength standards when it is not possible for applications and systems to enforce them technically.
    • ITS, or service providers in consultation with ITS, may also utilize password cracking tools to ensure adequate password complexity.

  3. Ensure secure transmission and storage of passwords, as appropriate.

  4. Service providers should instruct users to change passwords provided for initial access or password resets as soon as possible after initial use and provide instructions for doing so. Alternatively, temporary passwords can be set to expire upon initial use, where feasible.

  5. Whenever possible, give users advance notice about password requirements so they can come up with well-thought-out, memorable passwords instead of spur-of-the moment ones.

  6. Passwords used for privileged access should not be the same as those used for non-privileged access.

  7. Administrator-level access to restricted data, computers or networks should be able to identify the individual performing the access, e.g. via a unique user ID/password and elevated permissions as opposed to utilizing a shared admin or root account.

  8. Report potential password security compromises to the campus Security Team (security@ucsc.edu).

 


SYSTEM REQUIREMENTS AND STANDARDS

  1. Where possible and applicable, applications and systems should be configured to enforce these password complexity standards.

  2. New systems and applications should be able to support the above password strength standards.

  3. Systems should be configured to ensure secure transmission and storage of passwords whenever possible.

  4. Passwords provided for initial access and password resets should be unique.

  5. Passwords provided for initial access and password resets should be set to expire upon initial use, where feasible.
    • Additionally, initial passwords should be set to expire after no more than 120 days and password resets should be set to expire after 72 hours when possible to prevent unauthorized account access.
      Note: This recommendation is not intended to imply that passwords should expire periodically. It is, instead, intended to prevent the misuse of a temporary password.

  6. All default passwords for network-accessible device accounts should be modified.

  7. Where applicable, systems should be configured to prevent resubmission of previously used passwords.

 

 

GETTING HELP:

For questions or feedback about these Standards , contact the ITS Service Manager for Community and Compliance itpolicy@ucsc.edu or (831) 459-2779.

For technical questions about implementing or enforcing these Standards, contact:


--------------------------------
[1] PasswordSafe: http://passwordsafe.sourceforge.net/


Rev. 4/22/08