Password and Two Step Verification Token Management Guideline


Application


This guideline applies to all users whether at the University or elsewhere, and refers to all IT resources that require password access or access with the use of tokens through Two Step Verification.

Purpose


To help IT users create strong passwords and securely manage their passwords and Two Step Verification tokens  in order to support the security of information at the University.

This guideline should be read in-conjunction with the Two Step Verification Standard and the Systems and Applications Authentication Standard.

Guidelines


Passwords - the basics

The following guidelines set the minimum recommended requirements for passwords on any IT resource:

  • Unique initial passwords will be provided in a secure and confidential manner
  • Initial passwords that are not set by the user should be changed upon their first logon
  • IT users should choose passwords that are difficult to guess and change passwords at least every 6 months
  • Passwords should have a minimum of 8 characters and at least 3 out of these 4 requirements:
    • at least 1 number (0-9)
    • at least 1 lower case letter (a-z)
    • at least 1 upper case letter (A-Z)
    • at least 1 special character (?, *, %, etc.)
  • Passwords should not be based:
    • on a name
    • on a single dictionary word
    • on a previous password
    • on any obvious personal information such as user ID, family name, pet, birthday, etc.
    • or contain more than 2 repetitive characters (e.g. mmmmm236, abcd1111)

Creating strong passwords

The following points are suggestions for how to create strong passwords:

  • Longer passwords are better passwords
  • The more characters a password cracking program has to crunch, the harder it is to guess
  • Remove all the vowels from a short phrase in order to create a "word", e.g. llctsrgry ("All cats are grey")
  • Use an acronym: choose the first or second letter of your favourite quotation, e.g. itsotfitd ("It's the size of the fight in the dog")
  • Mix letters and non-letters in your passwords. Non-letters include numbers and all punctuation characters on the keyboard
  • Transform a phrase by using numbers or punctuation, e.g. Idh82go (I'd hate to go), UR1drful (you are wonderful)
  • Avoid choosing a password that spells a word, but, if you must, then:
    • introduce "silent" characters into the word, e.g. va7ni9lla
    • deliberately misspell the word or phrase, e.g. choklutt
    • choose a word that is not comprised of smaller words
    • add random capitalization to your passwords
    • capitalize any but the first letter, e.g. eIeIoH!, o.U.Kid

Maintaining a strong password

Here are several recommendations for maintaining a strong password:

  • Don’t share your password with anyone for any reason
  • Don’t reuse a password
  • Don’t use the same password for multiple accounts
  • Don’t use the 'remember password' internet browser function
  • Don’t write your password down or store it in an insecure manner

Do not share your password with anyone for any reason

  • Passwords should not be shared with anyone
  • In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored.  For example, Oracle Calendar will allow a user to delegate control of his or her calendar to another user without sharing any passwords.  This type of solution is encouraged
  • Passwords should not  be shared even for the purpose of computer repair

Do not share your two step verification token

  • Two step verification tokens need to be activated before you can use them and part of this process is to link the token to your individual record. This means that while it is linked to your record no one else can use the token to log into an application with their credentials. The token is solely for your use and as with your password you should not give your token to another person to use on your behalf
  • Keep your tokens secure. This means you would use the same discretion on their availability as you would your house keys or credit card. Don’t leave tokens openly available on your desk, or plugged into your PC

Do not reuse a password 

  • When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, (either knowingly or unknowingly), reusing a password could allow that user account to become compromised once again
  • Similarly, if a password was shared for some reason, reusing that password could allow someone unauthorized access to your account

Do not use the same password for multiple personal accounts

  • While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an attacker to gain unauthorized access to multiple systems.  This is particularly important when dealing with more sensitive accounts such as your online banking account.  These passwords should differ from the password you use for instant messaging, webmail and other personal web-based accounts

Do not use the 'remember password' internet browser function 

  • Most internet browsers (for example Mozilla Firefox, Google Chrome and Internet Explorer) have a function that allows the browser to store usernames and passwords which are used to automatically fill in the credential fields the next time you visit. This logon functionality negates much of the value of using a password
  • If a malicious user is able to gain physical access to your computer that has automatic logon configured, he or she will be able to access sites that you use, potentially gaining access to sensitive information

Do not write your password down or store it insecurely 

In cases where it is necessary to write down a password, that password needs to be stored in a secure location and properly destroyed when no longer needed.

Password managers

  • You should use a separate password not just for your University account, but for every site that you are registered with. Having a separate password for each site means that you reduce your overall risk if the password for any individual site is compromised. This can however quickly add up to a lot of passwords. Too many to remember
  • The secure solution to managing your passwords is to use a password manager which will allow you to access your list of passwords with a master password. The master password needs to be very strong

Note: using a password manager to store your passwords isn’t recommended unless the password manager leverages strong encryption and requires authentication prior to use.

  • When selecting a password manager, some of the key features you should look for include:
    • Support for multiple operating systems. For example, Windows, OS X, iOS, Android, etc.
    • Passwords are encrypted locally on your device (not in the cloud)
    • Passwords can be synchronised across devices
    • Support for two-factor authentication, to make your password manager even more secure
  • Some of the more popular password managers (in no particular order) include:

Definitions


The following definitions apply to this document:

IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it

Password Manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database

Strong password is defined as a password that is reasonably difficult to guess in a short period of time either through human guessing or the use of specialized software

Tokens are used to prove your identity electronically in addition to, or in place of, a password. The token acts like an electronic key to access something

Two Step Verification (2SV)  (also known as 2 Factor Authentication or 2FA) is a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimising security breaches

Two Step Verification tokens – YubiKey’s and the Google Authenticator application (run on mobile devices) are the tokens used at the University to  provide two-step verification to a site, service or application

User means any individual member of the University community using IT resources

University means the University of Auckland and includes all subsidiaries

Document management and control


Owned by: CIO

Content Manager: Director ITSPP

Approved by: CIO

Date approved: 22 January 2016

Review date: 22 January 2018