RSCC 政策 GA-18-09; 强密码

贝博体育

保单号码: GA-18-09

主题: 强密码

范围
The policies and procedures outlined in the following document apply to all 贝博体育 faculty, 工作人员, 学生, 游客, 和承包商. 这项政策适用于所有学术, 行政, networking and microcomputer resources leased or installed at all 贝博体育 (RSCC) locations.

除了下面列出的政策, all users are subject to existing state and federal laws along with institutional and Tennessee Board of Regents (TBR) regulations concerning the use of computers, 电子邮件, 和互联网.
定义

密码 - A password is a string of characters used for authenticating a user on a computer system.

特权帐户 – Privileged accounts are those accounts with 行政 or root access to a system and used for the administration of an application or database. 例如:Oracle数据库管理、Banner等.

系统帐户 - Accounts used for automated processes without user interaction or device man年龄ment.
遵守TBR政策
To the extent a discrepancy exists between this policy and related TBR or state policy or law, TBR和国家政策优先.
概述
密码是计算机安全的一个重要方面. They are the front line of protection for user accounts including network login, 电子邮件帐户, 还有网络账户. Poorly constructed passwords may result in the compromise of Roane State’s entire network and its data. 考虑到个人身份信息受到威胁, 提供此策略是作为保护该信息的一种手段.
目的
此策略的目的是为创建建立一个标准, 贝博体育的教师使用和保护密码, 工作人员, 和学生. 此策略还规定了更改密码所需的频率.
政策
1. 一般
  All users of Roane State information systems will have a unique user identification and password.
2. 密码
  1. 用户密码-更改所有用户级别的密码(网络登录，门户等).)每120天.
  2. 学生不需要更改密码.
  3. 特权帐户s – Users with privileged accounts must change their passwords every 120 days.
  4. 系统帐户—系统帐户密码不需要过期, 但必须满足此策略中定义的密码构造要求.
3. 其他
  1. Vendor provided passwords must be changed upon installation using the construction standards in this policy.
  2. User accounts that have system-level privileges granted through group membership or 贝博体育 such as “sudo” must have a unique password from all other accounts held by that user.
  3. 使用SNMP或简单网络管理协议的场景, the community strings must be defined as something other than the standard defaults of “public,” “private” and “system” and must be different from the passwords used to log in interactively. 必须在可用且技术可行的情况下使用键控散列(例如.g. SNMPv2或v3).
  4. 密码 must not be sent by 电子邮件 mess年龄s or other forms of electronic communications. 例外:发送登录时必须修改的初始密码.
  5. All user-level and system-level passwords must conform to the guidelines for strong passwords as described later in this document.
  6. 密码 parameters will be set to prevent users from reusing the past ten (10) passwords.
  7. 密码的最小有效期为一天.
  8. 密码 grace periods will be thirty (30) days during which the user will be warned the password is due to expire.
  9. 尝试五(5)次后，帐户将被锁定. 用户必须联系帮助台或管理系统进行重置.
  10. Faculty and 工作人员 desktops will be locked after 15 minutes of inactivity requiring a logon using their password.
  11. Lab computers will be logged out after 60 minutes of inactivity requiring users to logon using their password.
  12. 当出现以下情况时，请立即修改密码:
    1. 未经授权的密码发现或被他人使用.
    2. 对系统或帐户的任何未经授权的访问.
    3. 不安全的密码传输.
    4. 意外将密码泄露给授权人员.
    5. 具有访问特权和/或系统帐户的人员的状态更改.
指南-通用密码构造
1. 弱密码具有以下特点:
  1. 长度不超过8个字符
  2. 这个词能在字典里找到吗(英语或外语)
  3. 常用的词，如家人的名字, 宠物, 朋友, 同事, 幻想的人物, 计算机术语, 命令, 网站, 公司, 硬件, 或者软件不应该被使用. 前面或后面跟一个数字的任何一种.
2. 强密码具有以下特点:
  1. Contain a minimum of eight (8) characters consisting of three (3) of the following four (4) character categories. 这些将被强制执行.
    1. 英文大写字符(A-Z)
    2. 英文小写字符(a-z)
    3. 基数10位(0-9)
    4. 非字母数字字符(~)!#%*?_-)
  2. 建议使用以下方法:
    1. 不是任何语言中的一个词，俚语、方言或行话等等.
    2. 是不是基于个人信息.
3. 密码短语的使用
  Passphrases are longer versions (23 character minimum) of passwords and is therefore inherently more secure. A passphrase is typically composed of multiple words and therefore provides more security against “dictionary” attacks. An example is “This May Be One Way to Remember” and the passphrase could be “ThisMaybeOneWaytoRemember” or reduced to “TmB1w2R!另一个例子是:“iamthecapitanofthepin4”。. According to the National Institute of Standards and Technology (NIST) this passphrase of at least 23 characters contains a 45 bit strength.
  
  Use of passphrases is encour年龄d as an alternative to passwords because they are generally easier to remember.
密码保护标准
1. Do not use the same password for Roane State accounts as used to access non-Roane State accounts (e.g., 个人互联网服务提供商，如MSN, 雅虎, 谷歌, 交易账户, 银行账户, 等.).
2. 不要与任何人分享您的Roane State帐户信息, 包括行政助理, 秘书, 或者监事. All passwords are to be treated as sensitive and confidential RSCC information.
3. 以下是密码安全的注意事项:
  1. 不要在电话中向任何人透露密码.
  2. 不要在电子邮件中透露密码. An exception is transmittal of an initial or reset password that must be changed upon access.
  3. 不要把你的密码告诉你的老板.
  4. 不要在别人面前谈论你的密码.
  5. 不要暗示你的密码格式，如“我的姓”等.
  6. 不要在问卷或表格上透露你的密码.
  7. 不要与家人分享你的密码.
  8. 外出度假时不要把你的密码给别人.
  9. 不要在应用程序中使用“记住密码”功能.
  10. 不要把密码写在便利贴上, 把它放在键盘下面, 或者把它“藏”在办公室的某个地方.
  11. Don’t store your password on another device such as a Personal Digital Assistant (PDA) or USB drive without encryption. You may use a password stor年龄 utility as long as it encrypts the stored data; in addition, 确保它受到强密码的保护.
4. Report the incident to the Information Technology office immediately and change all passwords if you suspect your password has been compromised.
5. The Office of Information Technology or its designee may periodically run password “cracking” or “guessing” utilities to assess the compliance of this policy. If the password is “guessed” or “cracked” during this scan, users must change passwords.
6. 在技术上可行的地方, provide role man年龄ment such that one user can perform the functions of another user without having to know the other users password.
执法与合规
Any employee found in willful violation of this policy may be subject to disciplinary action. Justification for exceptions to this policy must be approved in writing by the president.
负责任的政党
The CIO shall be responsible for development and maintenance of this policy for issuance by the president.

TBR政策参考: 1.08.03.00

修订生效日期: 10/26/2021

修订批准人: 克里斯托弗·L. 惠利,总统

原生效日期: 03/03/2014

批准人: 克里斯托弗·L. 惠利,总统

办公室负责: 商务副总裁 & 金融

综述: 10/21/2021

贝博体育

与我们联系