Password and Two Step Verification Token Management Guidelines
These guidelines apply to all users whether at the University or elsewhere, and refers to all IT resources that require password access or access with the use of tokens through Two Step Verification.
To help IT users create strong passwords and securely manage their passwords and Two Step Verification tokens in order to support the security of information at the University.
These guidelines should be read in-conjunction with the Two Step Verification Standard and the Systems and Applications Authentication Standard.
Passwords - the basics
The following guidelines set the minimum recommended requirements for passwords on any IT resource:
- Unique initial passwords will be provided in a secure and confidential manner
- Initial passwords that are not set by the user should be changed upon their first logon
- IT users should choose passwords that are difficult to guess and change passwords at least every 6 months
- Passwords should have a minimum of 9 characters
- Passwords should not be based:
- on a name
- on a single dictionary word
- on a previous password
- on any obvious personal information such as user ID, family name, pet, birthday, etc.
- or contain more than 2 repetitive characters (e.g. mmmmm236, abcd1111)
Creating strong passwords
The following points are suggestions for how to create strong passwords:
- Longer passwords are better passwords
- The more characters a password cracking program has to crunch, the harder it is to guess
- Remove all the vowels from a short phrase in order to create a "word", e.g. llctsrgry ("All cats are grey")
- Use an acronym: choose the first or second letter of your favourite quotation, e.g. itsotfitd ("It's the size of the fight in the dog")
- Mix letters and non-letters in your passwords. Non-letters include numbers and all punctuation characters on the keyboard
- Transform a phrase by using numbers or punctuation, e.g. Idh82go (I'd hate to go), UR1drful (you are wonderful)
- Avoid choosing a password that spells a word, but, if you must, then:
- introduce "silent" characters into the word, e.g. va7ni9lla
- deliberately misspell the word or phrase, e.g. choklutt
- choose a word that is not comprised of smaller words
- add random capitalization to your passwords
- capitalize any but the first letter, e.g. eIeIoH!, o.U.Kid
Maintaining a strong password
Here are several recommendations for maintaining a strong password:
- Don’t share your password with anyone for any reason
- Don’t reuse a password
- Don’t use the same password for multiple accounts
- Don’t use the 'remember password' internet browser function
- Don’t write your password down or store it in an insecure manner
Do not share your password with anyone for any reason
- Passwords should not be shared with anyone
- In situations where someone requires access to another individual’s protected resources, delegation of permission options should be explored. For example, Oracle Calendar will allow a user to delegate control of his or her calendar to another user without sharing any passwords. This type of solution is encouraged
- Passwords should not be shared even for the purpose of computer repair
Do not share your two step verification token
- Two step verification tokens need to be activated before you can use them and part of this process is to link the token to your individual record. This means that while it is linked to your record no one else can use the token to log into an application with their credentials. The token is solely for your use and as with your password you should not give your token to another person to use on your behalf
- Keep your tokens secure. This means you would use the same discretion on their availability as you would your house keys or credit card. Don’t leave tokens openly available on your desk, or plugged into your PC
Do not reuse a password
- When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, (either knowingly or unknowingly), reusing a password could allow that user account to become compromised once again
- Similarly, if a password was shared for some reason, reusing that password could allow someone unauthorized access to your account
Do not use the same password for multiple personal accounts
- While using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect allowing an attacker to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your online banking account. These passwords should differ from the password you use for instant messaging, webmail and other personal web-based accounts
Do not use the 'remember password' internet browser function
- Most internet browsers (for example Mozilla Firefox, Google Chrome and Internet Explorer) have a function that allows the browser to store usernames and passwords which are used to automatically fill in the credential fields the next time you visit. This logon functionality negates much of the value of using a password
- If a malicious user is able to gain physical access to your computer that has automatic logon configured, he or she will be able to access sites that you use, potentially gaining access to sensitive information
Do not write your password down or store it insecurely
In cases where it is necessary to write down a password, that password needs to be stored in a secure location and properly destroyed when no longer needed.
- You should use a separate password not just for your University account, but for every site that you are registered with. Having a separate password for each site means that you reduce your overall risk if the password for any individual site is compromised. This can however quickly add up to a lot of passwords. Too many to remember
- The secure solution to managing your passwords is to use a password manager which will allow you to access your list of passwords with a master password. The master password needs to be very strong
Note: using a password manager to store your passwords isn’t recommended unless the password manager leverages strong encryption and requires authentication prior to use.
- When selecting a password manager, some of the key features you should look for include:
- Support for multiple operating systems. For example, Windows, OS X, iOS, Android, etc.
- Passwords are encrypted locally on your device (not in the cloud)
- Passwords can be synchronised across devices
- Support for two-factor authentication, to make your password manager even more secure
- Some of the more popular password managers (in no particular order) include:
The following definitions apply to this document:
IT resources refers to any University owned or operated hardware or software and the data that is used or stored on it.
Password Manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database.
Strong password is defined as a password that is reasonably difficult to guess in a short period of time either through human guessing or the use of specialized software.
Tokens are used to prove your identity electronically in addition to, or in place of, a password. The token acts like an electronic key to access something.
Two Step Verification (2SV) (also known as 2 Factor Authentication or 2FA) is a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimising security breaches.
Two Step Verification tokens – YubiKey’s and the Google Authenticator application (run on mobile devices) are the tokens used at the University to provide two-step verification to a site, service or application.
User means any individual member of the University community using IT resources.
University means the University of Auckland and includes all subsidiaries.
Key relevant documents
Include the following:
Document management and control
Owned by: Chief Digital Officer (CDO)
Content manager: Director ITSPP
Approved by: Chief Digital Officer (CDO)
Date approved: 22 January 2016
Review date: 22 January 2018