Storage of system-generated passwords: If passwords or Personal Identification Numbers (PINs) are generated by a computer system, they must always be issued immediately after they are generated. Regardless of the form they take, passwords and PINs that are generated but not issued must never be stored on the involved computer systems.
Protection of password generation algorithms: If passwords or PINs are generated by a computer system, all software and files containing formulas, algorithms, and other specifics of the process must be controlled with the most stringent security measures supported by the involved computer systems.
Previous password history file: On all multi-user machines, system software or locally developed software must be used to maintain an encrypted history of previous fixed passwords. This history file must be employed to prevent users from reusing old passwords. The history file should minimally retain the last thirteen (13) passwords for each user-ID.
Displaying and printing of passwords: Displaying and printing of passwords must be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them.
Periodic forced password changes: All users should be automatically forced to change their passwords periodically; preferably every thirty (30) days for access to sensitive data and every ninety (90) days for access to other data.
Password change interval synchronization across platforms: The fixed password change interval could be synchronized across all computer and network platforms at the University of Ottawa for global sign-on if necessary.
Assignment of expired passwords: The initial passwords issued by the account management administrator should be valid only for the involved user’s first on-line session. At that time, the user must be forced to choose another password before any other work can be done.
Limits on consecutive, unsuccessful attempts to enter a password:To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. For example, after ten (10) unsuccessful attempts to enter a password, the involved user-ID should be either:
- suspended until reset by a system administrator, or
- temporarily disabled for no less than three minutes
Single/Global sign-on process: Users must be asked for only one user-ID and password combination at the time they reach the network and/or destination computer system. User identity related information should then be passed (transparent to the user) to other computers, database management systems, services and applications.
All workstations must have password-based boot protection: All workstations used for the University of Ottawa business activity, no matter where they are located, should use an access control system approved by Information Technology. In most cases this will involve screen-savers with fixed, password-based boot protection along with a 'time out after no activity' feature.
Passwords never in readable form outside workstations: Fixed passwords must never be in readable form outside a personal computer or workstation.
Protection of passwords sent through the mail: If sent by regular mail or similar physical distribution systems, passwords must be sent separately from user-IDs. These mailings must have no markings indicating the nature of the enclosure. Passwords must also be concealed inside an opaque envelope that will readily reveal tampering.
Storage of passwords in readable form: Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover or use them.
Encryption of passwords: Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over networks. This will prevent them from being disclosed to wire-tappers, technical staff that are reading system logs, and other unauthorized parties.
Changing vendor default passwords: All vendor-supplied default passwords must be changed before any computer or communications system is used at the University of Ottawa.