| Policy ID No. | Policy | Policy Text | Policy Commentary |
|---|---|---|---|
| 1.0 | Minimum Password Length | The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least eight (8) characters | In many systems, passwords are the first and only line of defense. Guessing passwords is a popular and often successful attack method by which unauthorized persons gain system access. For example, Dr. Thomas Longstaff of the CERT at Carnegie-Mellon University wrote in the February 1993 issue of Computers & Security: "Simple password guessing is still the most prevalent and effective method of system penetration" (page 76). Context-sensitive guessing is used in addition to automated methods like so-called "password crackers." Passwords with only a few characters are much easier to guess than passwords with at least six characters. Eight is considered by many experts to be a minimum password length for general-purpose commercial systems. The policy is applicable to user-chosen passwords as well as system-generated passwords. On most platforms, operating systems software or linked access control security software can be used to automatically enforce this policy. Also see "Difficult-to-guess password required" |
| 2.0 | Difficult-to-Guess Passwords Required | All user-chosen passwords for computers and networks must be difficult to guess. Words in a dictionary, derivatives of user-IDs, and common character sequences such as "12345678" must not be employed. Likewise, personal details such as spouse's name, license plate, social security number, and birthday must not be used unless accompanied by additional unrelated characters. User-chosen passwords must also not be any part of speech. For example, proper names, geographical locations, common acronyms, and slang must not be employed. | The most frequently encountered problem with security systems is human error, and choosing an easily-guessed password is one of the most common security-related mistakes. This policy puts users on notice that they must choose passwords which are difficult for unauthorized parties to guess. Ideally, this policy should be enforced automatically by the system managing password changes, and the enforcement software should be invoked at the time users choose new passwords. This policy and the related control measures are particularly important if users are employing the same password on multiple systems (for instance on so-called "single sign-on systems"). If a single sign-on password is guessed, an intruder then gains access to many systems, whereas access to only one system would be obtained if a single sign-on system were not employed. Suggestions for constructing a difficult-to-guess yet easy-to-remember password: (a) string several words together (these passwords are also known as "passphrases"), (b) shift a word up, down, left or right one row on the keyboard, (c) bump characters in a word a certain number of letters up or down the alphabet, (d) transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word, (e) combine punctuation or numbers with a regular word, (f) create acronyms from words in a song, a poem, or another known sequence of words, (g) deliberately misspell a word--but not a common misspelling, or (h) combine a number of personal facts like birth dates and favorite colors. Also see the policies entitled "Passwords Must Contain Both Alphabetic and Non-Alphabetic Characters," "Cyclical Passwords Prohibited,", "Suspected Disclosure Forces Password Changes." |
| 3.0 | Cyclical Passwords Prohibited | Users are prohibited from constructing passwords made up of a certain number of characters that do not change combined with a certain number of characters which predictably change. In these prohibited passwords, characters which change are typically based on the month, a department, a project, or some other easily-guessed factor. For example, users must not employ passwords like "XXX34JAN" in January, "XXX34FEB" in February, etc. | This policy is intended to prevent the circumvention of facilities in operating systems and access control systems that prevent the selection of previously-used passwords. So-called "cyclical passwords" are employed by many users as a way to defeat these security systems. Cyclical passwords allow users to continue to employ the same basic password, varying only a part of the password so as to satisfy an automated process which compares the old and new passwords to make sure that previous passwords are not reused. This security-eroding approach is particularly prevalent among users who must log-into many different machines. While single-sign-on systems may make the log-in process easier for these users, if the users employ cyclical passwords, the security of the network and connected systems will be reduced (perhaps becoming lower than before the deployment of the single-sign-on system). Also see the policy entitled "Difficult-to-Guess Passwords Required." |
| 4.0 | Passwords Must Contain Both Alphabetic and Non-Alphabetic Characters | All user-chosen passwords must contain at least one alphabetic and one non-alphabetic character. Non-alphabetic characters include numbers (0-9) and punctuation. The use of control characters and other non-printing characters is discouraged because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities. | The intention of this policy is to put users on notice that they must take specific steps to make their passwords difficult for unauthorized parties and system penetration software to guess. There are a number of specific steps that users can be told to perform (it is desirable that password change software enforces these rules). These include use of upper and lower case in the same password. Be sure to check systems documentation before writing this policy since some systems have rigid restrictions about the type of characters permitted. See the policies entitled "Difficult-to-Guess Passwords Required" and "Minimum Password Length" |
| 5.0 | Display and Printing of Passwords | The display and printing of passwords must be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. | The intention behind this policy is to prevent passwords from falling into the hands of unauthorized parties. This policy supports two secure systems design principles: (1) each user should have a unique password and user-ID, and (2) each user should have a password known only to that user. Specifically, whenever a user types a password into a system, the password should not be displayed on a monitor. If a password were to be displayed, persons nearby could "shoulder-surf" (look over the shoulder of the user) to obtain the password. Likewise, persons doing "dumpster-diving" (going through the trash) could recover printed passwords. |
| 6.0 | Assignment of Initial Password | The initial password issued by a security administrator must be valid only for the involved user's first on-line session. At that time, the user must be forced to choose another password before any other work can be done. | The intent of this policy is to make sure that only an involved end-user knows their own password. This will in turn allow system activity logged with a corresponding personal user-ID to be uniquely attributable to a certain user. The type of initial password in the policy is sometimes called an "expired password" or a "temporary password" in that it is valid for only one on-line session. Both administrators and end-users must change default or initial passwords before they do any work on the system. This policy assumes group user-IDs are not employed and also that users are permitted to choose their own passwords (no forced system-generated passwords). Also see the policies entitled "Difficult-to-Guess Passwords" and "Changing Vendor Default Passwords," |
| 7.0 | Limit on Consecutive Unsuccessful Attempts to Enter a Password | To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After no more than six unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three minutes, or (c) if dial-up or other external network connections are involved, disconnected. | One of the most frequently successful attack methods for gaining system access is simple password guessing. Besides simple context-sensitive guessing (knowing a bit about the user and the circumstances), attackers can use password cracker programs to exhaustively go through words in the dictionary. Whether it be a determined manual attack or an automated password guessing attack, this policy will help to ensure that the attack is unsuccessful. Some agencies may wish to put a time frame into the policy, so that the words that "after six (6) unsuccessful attempts" become "after six (6) unsuccessful attempts within five minutes." Likewise a similar result may be achieved by qualifying this phrase with the words "during a single on-line session." It should be noted that, with this approach, some legitimate users will be locked out of their user-IDs if they are poor typists, if they are still learning how to use the system, or if they are having trouble remembering their password. These users will contact the security administrator for a new expired password. The contact with the security administrator also provides an opportunity for the security administrator to give the involved user the information needed to properly log-in the next time he/she uses the system. To support a higher security environment, the six attempts may be lowered. Also see the policies entitled "Suspected Disclosure Forces Password Changes," "Assignment of Initial Password," and "Difficult-to-Guess Passwords" |
| 8.0 | Changing Vendor Default Passwords | All vendor-supplied default passwords must be changed before any computer or communications system is used for State of Alaska business. | One of the oldest, yet still most successful ways to break into systems is to employ default vendor passwords. These default passwords are strings such as "sysadm" or "sysmanager." Typically, the vendor-supplied default passwords are known by both the technical people with experience on this platform as well as the hacker/cracker community. Too many organizations forget to change these passwords before they press the involved systems into production mode. This policy specifically puts technical staff on notice that they must change all vendor default passwords in order to achieve the most basic level of security. Also see the policy entitled "Assignment of Initial Passwords." |
| 9.0 | Suspected Disclosure Forces Password Changes | All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties. | The basic secure systems design principle behind this policy is that ONLY the user should know their password (this policy assumes that all users have their own unique user-IDs). If the password in question has been disclosed to some other party, or if this is only suspected, then the password must be immediately changed. This policy implies that the users are able to change their password whenever circumstances warrant. If this is not possible for technical or administrative reasons, as an alternative, a security administrator could reset the involved user's password immediately. Also see the policy entitled "Assignment of Initial Passwords," |
| 10.0 | Password Changes After Compromise of a Computer System | If a computer system employs passwords as its primary access control mechanism, all passwords must be changed immediately after evidence of system compromise has been discovered. At this time, all users must be instructed to change their passwords on other machines, if passwords on the compromised machine are also used on these other machines. | While this policy may at first appear to be obvious to those people who have been working in the information security field for a long time, it is not obvious to newly-appointed systems administrators, network managers, and other technical staff. While the changing of all passwords may not eradicate the source of the compromise, it is a necessary step in the direction of reestablishing a trusted computing environment. Note that this policy also stresses that the passwords on other machines must be changed too; far to few technical people appreciate that a users often employ the same password across a variety of machines. Unless these other passwords are changed, the other machines are at significant risk of compromise as well. For a related policy see "Required Actions Following Suspected System Intrusion." |
| 11.0 | Writing Passwords Down and Leaving Where Others Could Discover | Passwords must not be written down and left in a place where unauthorized persons might discover them. | Discovering passwords written down and left in the top drawer, taped to a computer monitor, or in some other conspicuous spot is a surprisingly common way for penetration attackers (tiger team members) to break into computers. Surprising as it may seem, many users don't think about these risks unless management alerts them to the problems. Note that this policy does not say that users must not write their passwords down; only that they must not be left in a spot where others could recover them. |
| 12.0 | Password Sharing Prohibition | Passwords must never be shared or revealed to anyone else besides the authorized user unless specifically authorized by the Agency Computer Security Officer. The ACSO should take into account that exceptions expose the authorized user to responsibility for actions that the other party takes with the password. The ACSO must make it clear to the user with the shared password that they are responsible for activities undertaken by the person who has their password. The way a user prevents themselves from being improperly held accountable for the actions of another is to keep their password secret. | In an effort to be polite, be more productive, or to save time, users often share their passwords. Sometimes system attackers masquerade as though they are information systems security staff, then asking users for their passwords. When requested to do so, a surprisingly large number of users will readily provide their password. Whenever users disclose their passwords, they inadvertently compromise system access controls and make logs of user activity less useful. It is important that users keep their passwords exclusively to themselves, and the intention of this policy is to remind them to do just that. The policy has a threat in it, specifically the part that talks about being responsible for the actions of another. At many organizations, in the small systems environment (client/server, local area networks, etc.) a casual attitude toward security has traditionally prevailed; a policy like this seeks to counteract this attitude. See also "Users Responsible for All Activities Involving Personal User-Ids" |
| 13.0 | Users Responsible for All Activities Involving Personal User-IDs | Users are responsible for all activity performed with their personal user-IDs. User-IDs may not be utilized by anyone but the individuals to whom they have been issued unless authorized by the ACSO. | The intention of this policy is to make it clear that sharing user-IDs and associated passwords is risky. If users share user-IDs and passwords, logs will not reflect the true identity of the users, and will accordingly be less useful for disciplinary actions, prosecutions, and investigations. Likewise, user specific privilege controls mean little when users are sharing user-IDs and passwords. This policy has some positive side-effects that may not be readily apparent. For example, when an employee goes on vacation, to be in compliance with the policy, they may not give their user-ID and password to someone else so that other person can check the employee's electronic mail. |
| 14.0 | When and How Passwords May Be Disclosed by Security Administrators | Security administrators must only disclose passwords if a new user-ID is being assigned, if the involved user has forgotten or misplaced a password, or if the involved user is otherwise locked out of his or her user-ID. Security administrators must not reveal a password unless the involved user can be personally identified or through a call back to a known State of Alaska phone number. | This policy is intended to make it clear when and how security administrators (who are also often systems administrators) may disclose a password. There are many cases on record where "social engineering" (in this case masquerading as a legitimate user) is used to get security administrators to reveal a password. Note that this policy does allow a security administrator to reveal a password over the telephone so long as adequate evidence of identity is provided (for example mother's maiden name, social security number, etc.). A security administrator my use a call back procedure to call a known State of Alaska office to minimize the risk of social engineering. This over-the-phone process is expedient, although it is definitely less secure than requiring the user to show up in person. For related ideas, see the policies entitled "Suspected Disclosure Forces Password Changes" and "Password Sharing Prohibition." |
| 15.0 | Positive Identification Required for Initial System Usage | All users must be positively identified prior to being able to use any computer or communications system resources. | Positive identification ordinarily involves user-IDs and fixed passwords, but may also include confirmation by a known person in the office. The Agency Computer Security Officer will be the decision maker when it comes to a precise definition of "positive identification." The intention of this policy is to ensure that no unauthorized person is given an account on a State of Alaska computer system. As organizations adopt more interconnected systems, this policy becomes increasingly important. For example, a stand-alone departmental local area network poses a relatively limited vulnerability, but when such a LAN is connected to a wide area network, the need for all users to be positively identified is increased. |
| 16.0 | User-ID and Password Required for Access to State of Alaska Network Systems. | All users must have their identity verified with a user-ID and a secret password--or by other means which provide equal or greater security--prior to being permitted to use State of Alaska high and medium risk "multi-user" systems. | The intent of this policy is to make sure that only authorized people can gain access to organizational networks. The public access side of network systems, such as web and anonymous ftp servers, are by definition low risk and are outside of this policy. Administrative access to low risk systems, such as administrator login or ftp access used to manage a web server, falls under the medium or high risk category and is subject to this policy. The policy also allows the organization to move to extended user authentication via biometrics, call-back systems, dynamic password identity tokens, etc. Also see the policies entitled "Minimum Password Length", "Unique User-ID and Password Required" and "Granting User-IDs to Outsiders." |
| 17.0 | Unique User-ID and Positive User Authentication Required <<>> | Every user must have a single unique user-ID and a personal secret password or other positive user authentication. This user-ID and password will be required for access to State of Alaska multi-user computers and computer networks. | With the ever-increasing number of computers and networks found in modern organizations, use of various user-IDs for the same person is getting to be too complex. This policy simplifies all that for both users and systems administrators. Another intention of the policy is to ensure that all multi-user systems and networks have access control software which can uniquely identify and restrict the privileges of each user. These access control facilities also allow special logging and monitoring software to be used. The use of the same user-ID on all computers and networks across an organization is additionally desirable (but not required) because it makes analysis of activity logs considerably easier. The use of the term "multi-user computer" in the policy effectively exempts workstations. The policy described here also prohibits group user-IDs -- typically a significant problem in those organizations where the level of awareness about information security is low. The term "positive user authentication" allows for smart cards, dynamic password tokens, biometrics and other technologies. See also the policies entitled |
| 131.0 | Extended User Authentication Systems Required for In-Bound Access to State of Alaska Computer Systems. | To positively identify the calling party, all in-bound connections to State of Alaska's internal computer data network must employ extended user authentication. The approved technology for extended authentication must provide more security than traditional fixed password systems. The specific technology selected for extended user authentication will change over time but must be approved by the Agency Computer Security Officer. | The intention behind this policy is to require extra system access controls for every inbound connection, such as dial-up modems or broadband connections over the Internet. Since these interface points have historically been vulnerable spots, extra access controls are warranted. Extended user authentication systems are most often used in conjunction with user-IDs and passwords, although they may also replace user-IDs and/or passwords. These extended user authentication systems include but are not limited to call-back devices, identity tokens, biometrics (thumb-print readers, retina scanners, voice print readers, etc.). |
| 136.0 | Naming Standard for a Single User-ID Used on All Platforms | No matter how many systems they access, State of Alaska workers must have only one computer system user-ID. Unless advance permission from the State Computer Security Officer has been granted, all computer system administrators must consistently observe the user-ID naming standards specified by the State of Alaska Security Policy. | The intention of this policy is to simplify both administrative and security work for networked computer systems. A significant number of different user-IDs for a single individual can lead to great confusion. This confusion is particularly undesirable at the time that a worker leaves the organization, in which case staff may scramble to determine which user-IDs need to be deactivated. The policy simplifies these activities, as well as forensic activities like log analysis associated with computer crime investigation. A consistent approach to user-ID construction may, in some instances, be impossible if the technology does not allow it (for example some systems allow only a few characters in user-IDs); it is in recognition of these circumstances that exceptions are mentioned in the second sentence of the policy. This policy takes a strong stand in favor of the existing State of Alaska enterprise e-mail ID. Note also that this policy will facilitate the establishment and administration of a single sign-on system. See the policies entitled "Unique User-ID and Positive User Authentication Required," "Maintenance of Master User-ID and Privilege Database." |