Password and Two Step Verification Token Management Guidelines

Application

These guidelines apply to all users whether at the University or elsewhere, and refers to all IT resources that require password access or access with the use of tokens through Two Step Verification.

Purpose

To help IT users create strong passwords and securely manage their passwords and Two Step Verification tokens in order to support the security of information at the University.
These guidelines should be read in-conjunction with the Two Step Verification Standard and the Systems Access Management Standard.

Guidelines

Passwords - the basics

The following guidelines set the minimum recommended requirements for passwords on any IT resource:

  • Unique initial passwords will be provided in a secure and confidential manner
  • Initial passwords that are not set by the user should be changed upon their first logon
  • IT users should choose passwords that are difficult to guess
  • Passwords must have a minimum of 9 characters
  • Passwords should contain a mix of letters, digits and special characters
  • Passwords should not be based:
    • on a name
    • on a single dictionary word
    • on a previous password
    • on any obvious personal information such as user ID, family name, pet, birthday, etc.
    • or contain more than 2 repetitive characters (e.g. mmmmm236, abcd1111)

Creating strong passwords

The following points are suggestions for how to create strong passwords:

  • Longer passwords are better passwords
  • The more characters a password cracking program has to crunch, the harder it is to guess
  • Remove all the vowels from a short phrase in order to create a "word", e.g. llctsrgry ("All cats are grey")
  • Use an acronym: choose the first or second letter of your favourite quotation, e.g. itsotfitd ("It's the size of the fight in the dog")
  • Mix letters and non-letters in your passwords. Non-letters include numbers and all punctuation characters on the keyboard
  • Transform a phrase by using numbers or punctuation, e.g. Idh82hv2go (I'd hate to have to go), UR1drful! (you are wonderful)
  • Avoid choosing a password that spells a word, but, if you must, then:
    • o introduce "silent" characters into the word, e.g. va7ni9lla
    • o deliberately misspell the word or phrase, e.g. chok0lutt
    • o choose a word that is not comprised of smaller words
    • o add random capitalization to your passwords
    • o capitalize any but the first letter, e.g. eIeIEioH!, oO.U.Kidd

Maintaining a strong password

Here are several recommendations for maintaining a strong password:

  • Don’t share your password with anyone for any reason
  • Don’t reuse a password
  • Don’t use the same password for multiple accounts
  • Use a password manager to store passwords
  • Don’t write your password down or store it in an insecure manner

Do not share your password with anyone for any reason

  • Passwords should not be shared with anyone
  • In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored. For example, Outlook Calendar will allow a user to delegate control of their calendar to another user without sharing any passwords. This type of solution is encouraged
  • Passwords should not be shared even for the purpose of computer repair

Do not share your two step verification token

  • Two step verification tokens need to be activated before you can use them and part of this process is to link the token to your individual record. This means that while it is linked to your record no one else can use the token to log into an application with their credentials. The token is solely for your use and as with your password you should not give your token to another person to use on your behalf
  • Keep your tokens secure. This means you would use the same discretion on their availability as you would your house keys or credit card. Don’t leave tokens openly available on your desk, or plugged into your PC

Do not reuse a password

  • When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, (either knowingly or unknowingly), reusing a password could allow that user account to become compromised once again
  • Similarly, if a password was shared for some reason, reusing that password could allow someone unauthorized access to your account

Do not use the same password for multiple personal accounts

  • While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an attacker to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your online banking account. These passwords should differ from the password you use for instant messaging, webmail and other personal web-based accounts.

Do not write your password down or store it insecurely

In cases where it is necessary to write down a password, that password needs to be stored in a secure location and properly destroyed when no longer needed.

Password managers

  • You should use a separate password not just for your University account, but for every site that you are registered with. Having a separate password for each site means that you reduce your overall risk if the password for any individual site is compromised. This can however quickly add up to a lot of passwords. Too many to remember.
  • The secure solution to managing your passwords is to use a password manager which will allow you to access your list of passwords with a master password. The master password needs to be very strong.

Note: using a password manager to store your passwords isn’t recommended unless the password manager leverages strong encryption and requires authentication prior to use.

  • When selecting a password manager, some of the key features you should look for include:
    • Support for multiple operating systems. For example, Windows, OS X, iOS, Android, etc.
    • Passwords are encrypted locally on your device (not in the cloud).
    • Passwords can be synchronised across devices.
    • Support for two-factor authentication, to make your password manager even more secure.
  • Some of the more popular password managers (in no particular order) include:

Definitions

The following definitions apply to this document:
IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it.
Password Manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
Strong password is defined as a password that is reasonably difficult to guess in a short period of time either through human guessing or the use of specialized software.
Tokens are used to prove your identity electronically in addition to, or in place of, a password. The token acts like an electronic key to access something.
Two Step Verification (2SV) (also known as 2 Factor Authentication/2FA or Multi Factor Authentication/MFA) is a security mechanism that requires two or more types of credentials for authentication and is designed to provide an additional layer of validation, minimising security breaches.
Two Step Verification tokens – YubiKey’s and the Google Authenticator application (run on mobile devices) are the tokens used at the University to provide two-step verification to a site, service or application.
User means any individual member of the University community using IT resources.
University means the University of Auckland and includes all subsidiaries.

Key relevant documents

Document management and control

Owned by: Chief Information Security Officer
Content manager: Chief Information Security Officer
Approved by: Chief Digital Officer (CDO)
Date approved: 22 January 2023
Review date: 22 January 2026