Return to: U of M Home
The following are several recommendations for individuals who are responsible for provisioning and support of user accounts:
Enforce strong passwords
Many systems and applications include functionality that prevents a user from setting a password that does not meet certain criteria. Functionality such as this should be leveraged to ensure only Strong Passwords are being set. See the University's Password Standard.
Require periodic password changes
Forcing a periodic password change serves as a reminder to users and eliminates the human factor in determining whether to change a password. A general rule of thumb is to force a password change every 90- 360 days.
Require a change of initial or “first-time” passwords
Forcing a user to change their initial password helps ensure that only that user knows their password. Depending on what process is being used to create and distribute the password to the user, this practice can also help mitigate the risk of the initial password being guessed or intercepted during transmission to the user. This guidance also applies to situations where a password must be manually reset.
Force expiration of initial or “first-time” passwords
In certain situations, a user may be issued a new account and not access that account for a period of time. Initial passwords have a higher risk of being guessed or intercepted depending on what process is being used to create and distribute passwords. Forcing an initial password to expire after a period of time (e.g. 72 hours) helps mitigate this risk.
Do not use Restricted Information for initial or “first-time” passwords
Restricted information includes, but is not limited to, social security number, name, date of birth, etc. This type of data should not be used wholly or in part to formulate an initial password.
Always verify a user’s identity before resetting a password
A user’s identity should always be validated prior to resetting a password. If the request is in-person, photo identification (e.g. UCard, valid state ID, or current passport) is a sufficient means of doing this. If the request is by phone, validating an identity is much more difficult. One method of doing this is to have the user fax in a copy of their photo id in addition to having the helpline ask the user some questions. However, this can be cumbersome process. Another option is to have the person’s manager call and confirm the requests.
Never ask for a user’s password
As stated above, individual user account passwords should not be shared. A natural corollary to this guidance is to never ask others for their passwords. Delegation of permission is one alternative to asking a user for their password. Some applications include functionality that allows an administrator to impersonate another user, without entering that user’s password, while still tying actions back to the administrator’s user account. This is also an acceptable alternative.
The following are several additional recommendations for individuals who are responsible for the configuration, design and implementation of systems and applications:
Change default account passwords
Default accounts are often the source of unauthorized access by a malicious user. When possible, they should be disabled completely. If the account cannot be disabled, the default passwords should be changed immediately upon installation and configuration of the system or application.
Implement strict controls for system-level and shared service account passwords
Shared service accounts typically provide an elevated level of access to a system. System-level accounts, such as root and Administrator, provide complete control over a system. This makes these types of accounts highly susceptible to malicious activity. As a result, a more lengthy and complex password should be implemented. System-level and shared service accounts are typically critical to the operation of a system or application. Because of this, these passwords are often known by more than one administrator. Passwords should be changed anytime someone with knowledge of the password changes job responsibilities or terminates employment. Use of accounts such as root and Administrator should be limited as much as possible. Alternatives should be explored such as using sudo in place of root, creating unique accounts for Windows administration instead of using default accounts or in Windows using the "Run As" administrator command.
Avoid using the same password for multiple administrator accounts
Using the same password for multiple accounts can simplify administration of systems and applications. However, this practice can also have a chain effect allowing an attacker to break into multiple systems as a result of compromising a single account password. It is recommended that different passwords be used for test and production systems.
Do not allow passwords to be transmitted in plain-text
Passwords transmitted in plain-text can be easily intercepted by someone with malicious intent. Protocols such as FTP, HTTP, SMTP and Telnet all natively transmit data (including your password) in plain-text. Secure alternatives include transmitting passwords via an encrypted tunnel (e.g. IPSec, SSH or SSL), using a one-way hash or implementing a ticket based authentication scheme such as Kerberos.
Do not store passwords in easily reversible form
Passwords should not be stored or transmitted using weak encryption or hashing algorithms. For example, the DES encryption algorithm and the MD-4 hash algorithm both have known security weaknesses that could allow protected data to be deciphered. Encryption algorithms such as 3DES or AES and hashing algorithms such as SHA-256 are stronger alternatives to the previously mentioned algorithms. Also Windows passwords should not be stored using the vulnerable LANMAN hash.
Implement automated notification of a password change or reset
When a password is changed or reset, an e-mail should be automatically sent to the owner of a user account whenever possible. This provides a user with confirmation that the change or reset was successful and also alerts a user if a password is unknowingly changed or reset.
Delete old accounts
Delete accounts that are no longer used. Old accounts are used by hackers to gain access to systems.
Basic password configuration settings
The University’s Password Standard and the QuickStart Level-2 Security settings are recommended minimum password settings. QuickStart is primarily for desktop and laptop computers. Similar settings with required adjustments should be made for servers.
Other Links:
University of Minnesota has permission from Carnegie Mellon University to use their content on this web site.