UL-IT-SXXX-Password-Authentication-Standard

Purpose

The purpose of this document is to provide a set of minimum-security standards governing the use of passwords and authentication for access to the University of Louisiana at Lafayette (UL Lafayette) Information Technology (IT) systems. Authentication of users and applications, accessing or processing data is a fundamental requirement of information security to ensure confidentiality and integrity of data. This document offers minimum standards for password and authentication for users and systems covering the UL Lafayette IT resources.

 

Scope

This document is intended to provide guidance for systems and applications that utilize a username and password for authentication and authorization. For many systems, these settings are customizable and must be configured before a system goes into production or if it stores institutional information. Systems that utilize a ULID for authentication can assume these requirements are met as part of the service provided. These standards apply to all accounts.

 

Definitions

1. Account Types
1. User Accounts: Accounts under the control of a specific individual and are not accessible to others. These are user-interactive accounts.
2. Shared Accounts: An account that can be accessed by multiple individuals to allow them to appear as a single business entity or accomplish a single shared function. These are user-interactive accounts.
3. Privileged Accounts: A qualifier used to describe User Accounts and Shared Accounts that have elevated access to configure or significantly change the behavior of a computing system, device, application, or other aspect of systems. These accounts should be considered highly sensitive. These are user-interactive accounts.
4. Service Accounts: Accounts that are intended for automated processes such as running batch jobs or applications or establishing connections between web, application, and database servers, or external applications or services. To be considered a service account, the account must not be primarily used for general login to systems by users.
2. Hardware token: A security token is a peripheral device used to gain access to a computer, network, or service. The token is used in addition to or in place of a password.
3. Multi-factor authentication (MFA): Using two or more factors to validate the identity of a user.
4. One Time Password (OTP): A password that is valid for a single login session or transaction.
5. Passphrase: A sequence of words that is used to confirm a person’s identity to allow access to a computer, network, or service. Similar to a password but generally longer for added security.
6. Password: A string of characters that is used to confirm a person’s identity to allow access to a computer, network, or service.
7. ULID: An acronym for University Login Identification which is a unique identifier that is assigned to all faculty, staff, and students. The ULID functions as a person’s identity for all campus systems.

 

Standards

Individuals must have a unique identifier[DS1] [MED2]  (e.g., ULID) and password for each University-associated account. Do not use the same password for multiple University accounts.

All UL Lafayette-owned electronic devices that access restricted/confidential University data must have password protection enabled.

Responsibility of Users regarding Passwords:

A.     Users are responsible for keeping passwords and all other types of authentication methods secure and confidential, including not sharing or storing passwords in an insecure manner. Passwords should not be written down and/or left in an easily accessible location.

B.      Passwords are confidential university information and should never be stored electronically without being encrypted with a minimum 256-bit encryption.

C.      All passwords must be changed at first issuance or use.

D.     Passwords must not be shared for any individual accounts, including with IT support professionals. If anyone asks a user for their password, they are obligated to report this to IT Security as a security incident.

E.      For any shared account passwords, whenever any person with knowledge of the password changes to a role where they no longer require knowledge of the password (i.e., leaves the university or changes positions), the password must be changed.[DS3] [MED4] 

F.      ULID passwords systems must be unique. Users should never use their ULID password for any third-party systems, even if used for UL IT business purposes. Users should never use the same password for privileged and non-privileged accounts.

G.     Users must not store passwords with applications or use the “remember password” functions built into web browsers. Using a third-party password manager is highly encouraged to create strong passwords and store them securely. (Contact UL ServiceDesk for a list of currently recommended password managers.)

H.     Always log out of applications or lock computers when leaving a computer to prevent unauthorized use.

I.        Users must not attempt to circumvent UL IT established authentication processes.

J.       Users must follow UL IT standards for authentication and password specifications.

 

Shared and Service Accounts[DS5] [MED6]  (including those with Privilege Access)

The use of these accounts comes with a higher level of risk than individual accounts.

This section is focused on Shared and Service Accounts for UL Lafayette IT Systems and Services including Administrative accounts that have access to all workstations and servers within a domain. Local administrative accounts requirements and standards are covered by UL-IT-SXXX-Account-Standards.

All Shared and Service Accounts must leverage a secure password vault for password and digital identity management.

The current UL Lafayette standard for managing Shared and Service Accounts and their associated passwords is Password Manager Pro (PMP). All Shared and Service Accounts must use PMP. PMP enforces Multi-Factor Authentication.

Shared and Service Accounts must be separate and use a different password from general user accounts. Shared and Service Accounts passwords must meet, and where possible, exceed the minimum password requirements. Shared and Service Accounts passwords must not be coded into programs or stored on disk without approved encryption.

Vendor-supplied Default Passwords must be changed immediately upon initial configuration of the system and follow the password requirements noted above. Where the capability exists, limit interactive login capabilities (e.g., prohibit console/terminal access, configure restricted shell, enforce network access restrictions, etc.). Shared Accounts passwords must be changed at least annually or upon a personnel change in the group managing the account or with access to the password. Service Accounts do not have an expiration date but password must be changed if the account is transferred to a new owner, if the password has been shared to a non-authorized user or if there is an indication that the account of has been potentially compromised.

 

Multi-Factor Authentication

The University has enacted a common method of protection against unauthorized access by using multi-factor authentication (MFA). MFA is a security process whereby users must provide at least two different authentication factors to verify their identities to access their accounts. This process ensures better protection of both a user’s personal information, credentials, and other assets, while also improving the security around the resources the user can access. This second factor option can be an office phone, mobile phone, hardware token or a supported authenticator app. Multiple authentication methods can be added to a single account.

A.     All individuals are required to engage in one additional step beyond the normal login process to access campus resources and the campus network. Individuals are required to register a second approved device.

B.      MFA is required on all new accounts created. Previously set up accounts will be migrated to MFA over the course of FY23 and FY24.

C.      MFA is required for all externally-exposed enterprise or third-party applications, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard.

D.     MFA is required for remote network access.

E.      MFA is required for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.

F.      Responsibilities:

o   It is the user’s responsibility to promptly report compromised credentials to the Service Desk.

o   It is the user’s responsibility to promptly report a lost or stolen MFA device to the Service Desk.

Using MFA as a standard secondary factor authentication:

A.     When authenticating using MFA all users must use the generated OTPs (One Time Password) from their approved hardware token (fob), smartphone authentication app, mobile text, or received phone call code as a second factor security login, in addition to their campus credentials (e.g. ULID and password). 

B.      Only approved and registered hardware tokens (fob) or smartphones registered with the approved MFA app may be used for OTP generation. 

C.      If using a smartphone app, users must notify the UL IT Service Desk when they change their smartphone device, even if they keep the same phone number. UL IT Service Desk will assist users with the process of registering their new smartphone device. 

D.     Lost, stolen, or damaged university owned devices must be reported immediately to the UL IT Service Desk (ithelp@louisiana.edu)

E.      Devices must be properly secured, not shared.

F.      Users are expected not to leave their OTP devices unattended in a public place. 

G.     Users should not mark their hardware fobs or smartphones with any identifying information such as name, ULID, password, or any reference to the UL IT systems. 

[MED7] [CB8] [MED9] 

Password Management

Recommendations for password management can be found in Section 6.1.2 of the Comprehensive Information Security Program (link below). The following is an excerpt from the document regarding password recommendations:

Recommendations for implementation and management of passwords or passphrases are:

·         Password lifetime should be restricted.

·         Users should create passwords that are not dictionary words for names.

·         Users should create passwords using a mix of alphabetic, numeric, and special characters.[MED10] 

·         Users should create longer passwords, which tend to be more secure.

·         Many operating systems can be configured to lock a user ID after a set number of failed login attempts. This helps to prevent guessing of passwords.

Creating a good passphrase is one of the most important things that can be done to preserve the privacy of computer data and email messages. A passphrase should be:

·         Known only to the creator

·         Long enough to be secure

·         Hard to guess, even by someone who knows the user well

·         Easy to remember and easy to type accurately.

 

Roles And Responsibilities Regarding Enforcement

Each University department/unit is responsible for implementing, reviewing, and monitoring internal policies, practices, etc. to assure compliance with this standard.

The Office of the Chief Information Officer is responsible for enforcing this standard.

Non-Compliance And Exceptions

Non-compliance with these standards may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation.

Any device that does not meet the minimum-security requirements outlined in this standard may be removed from the UL IT network, disabled, etc. as appropriate until the device can comply with this standard.

It is recognized that software applications offer many varied capabilities with respect to authentication, authorization, role-based access control, password complexity, account management, and auditing of these components. Many examples of software exist that will not be able to conform to some aspect of the prescribed standards.

Despite these deficiencies, such software may be necessary for performing critical functions for the University. Reasonable efforts should be made to improve the security posture of such software by enhancing system configurations over time, engaging with vendors, and developing auditing capabilities when possible and feasible. It is encouraged that administrators contact UL Lafayette IT Security Office (ITSO) for evaluation of systems, applications, or accounts lacking the technical capability to meet the requirements below; the ITSO will offer guidance for selecting the best and most secure configuration within the limitations of the given system.

Exceptions to this standard may be submitted in writing to the UL Lafayette IT Security Officer who will assess the risk and make a recommendation to the UL Lafayette Chief Information Officer. Written approval must be attained from UL IT prior to utilizing any exceptions. Exceptions must be reviewed for reauthorization on no lessmore than an annual basis.

Applicable UL Lafaytte IT Policies:

Comprehensive Information Security Program:

http://helpdesk.louisiana.edu/sites/helpdesk/files/UL%20Lafayette%20Comprehensive%20Information%20Security%20Program%20-%202014.pdf

 

Related UL Lafayette IT Policies And/Or Standards:

RESPONSIBLE OFFICE: Information Technology

APPROVAL AUTHORITY: Gene Fields, Chief Information Officer

STANDARDS MANAGER: ???

CONTACT: ???

EFFECTIVE DATE: 07/01/2023

NEXT SCHEDULED REVIEW: January 2025

REVISION HISTORY:

Date	Change Description
3/22/2023	Matthew E Delcambre (Initial Draft Submitted)