Passwords are a critical aspect of computer security forming the front line of protection for user accounts. A poorly chosen password can result in the compromise of Marquette University's entire network. As such, all Marquette University students and employees (including contractors and vendors with access to Marquette University systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
The scope of this policy includes all users who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Marquette University facility, has access to the Marquette University network, or stores any non-public Marquette University information.
Under no circumstances should a user divulge their password to another person.
- All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a semi-annual basis.
- All production system-level passwords must be part of the IT Services administered global password management database.
- All user-level passwords (e.g., email, web, desktop computer, etc.) must
- Maximum password age of 180 days
- Exhibit complexity by
- Not contain all or part of the user's account name
- Contain characters from three of the following four categories:
- Uppercase characters (A through Z)
- Lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
- Maintain a password history of 12 passwords and not allow reuse
- Must be a minimum of 8 characters
- Be locked out if more than 5 unsuccessful attempted logons
- PeopleSoft and Oracle E-Business suite will have automatic log-offs after a predetermined period of inactivity; username and password will be required for re-authentication.
- User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
- Username and password combinations must not be inserted into email messages or other forms of electronic communication unless the message is encrypted.
- Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2).
- All temporary passwords must be changed at first logon.
- If an account or password is suspected to have been compromised, report the incident to IT Services and immediately change all of the associated passwords.
- Automated password guessing may be performed on a periodic or random basis by IT Services Management or its delegates. If a password is guessed during one of these scans, the user will be required to change it.
4.2. Application Development Standards
- Application developers must ensure their programs contain the following security precautions. Applications:
- should support authentication of individual users, not groups.
- should not store passwords in clear text or in any easily reversible form.
- should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.
- should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval, wherever possible.
4.3. Use of Passwords and Passphrases for Remote Access Users
Access to the Marquette University Networks via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Application Administration Account
Any account that is for the administration of an application (e.g., Oracle database administrator, ISSU administrator).