Method Statement - Password Management

1 Introduction

1.1 This method statement describes the rules governing the management of the password associated with the University of York IT account, known as the ‘IT Services password’.

1.2 The aim of password management is to enhance information security by ensuring that passwords are strong and are used properly. It is established good practice to change passwords on a regular basis to reduce the risk of misuse if the password is stolen or otherwise compromised.

1.3 Password management rules are usually referred to as a ‘password policy’. The University may define and operate different password policies depending on the sensitivity of the information that is accessed by the user.

2 Password requirements

2.1 The minimum requirement for all Staff and Associate Staff is that their IT Services password must be changed at least once per year. Some Staff and Associate Staff may need to change their passwords more frequently due to the sensitivity of the information they access.

2.2 Students are not required to change their passwords unless they are specifically required to do so due to the sensitivity of the information to which they have access.

2.3 New users are issued with a temporary password which can only be used to register their account. As part of the account registration process, the password must be changed. Until this has been done, a user cannot log in to any other IT facility.

2.4 For all users, a password must satisfy the following conditions to ensure a strong password is used:

  • It must be 8 to 16 characters
  • It must not be your username
  • It must not be your current password
  • It must not be your initial password
  • It must contain a mix of upper and lower case letters and at least one number
  • It must contain at least one letter
  • It must not be based on a dictionary word

2.5 When changing a password, the user is prevented from reusing the previous ten passwords used.

2.6 When a password has expired, the user has four weeks in which to change their password before their account is automatically disabled.

2.7 Where there are more stringent information handling requirements departments may define and operate different password policies for their users to specify more frequent password changes and/or a different email reminder frequency. Section 3 below illustrates three policies that are currently defined. Departments should seek policy and implementation advice from the Information Security Officer.

2.8 Policies which require passwords to be changed more than once a year may be applied at departmental level or to groups within departments, such as to a specific research group within a department. For example, staff within IT Services (a sub-group of the Information Directorate) have a 90 day password changing policy due to the level of access to systems and information held by each user.

2.9 Where a user has more than one affiliation with the University, such as being a both a member of staff and a student or is a member of two departments, the more stringent password policy will apply to the user account.

2.10 Users will be required to change their password if their account is believed to have been compromised.

3 Current Password Policies

3.1 Staff and Associate Staff Policy A

This is the minimum policy and applies to all staff and associate staff unless a more stringent specific policy has been applied at the department or group level.

  • Password change frequency: at least once every year
  • The number of previous passwords that are remembered to prevent the user re-using them: ten
  • The number of email reminders sent to warn users before their password is expired, and when they are sent: as soon as the relevant password policy is activated on the account; two months; one month; 14 days; 7 days; 3 days; 1 day before expiry
  • How long an account will stay in the password expired state before it is automatically disabled (“disabled after”): four weeks

3.2 Staff Policy B

This policy might be applied in departments or research groups with access to sensitive research or personal data, e.g. Finance and IT Services.

  • Password change frequency: at least once every 90 days
  • The number of previous passwords that are remembered to prevent the user re-using them: ten
  • The number of email reminders sent to warn users before their password is expired, and when they are sent: one month; 14 days; 7 days; 3 days; 1 day before expires
  • How long an account will stay in the password expired state before it is automatically disabled (“disabled after”): four weeks

3.3 Staff Policy C

This policy might be applied in research groups where there are requirements stipulated by funding bodies eg Department for Work and Pensions.

  • Password change frequency: at least once every 30 days
  • The number of previous passwords that are remembered to prevent the user re-using them: ten
  • The number of email reminders sent to warn users before their password is expired, and when they are sent: 7 days; 3 days; 1 day before expires
  • How long an account will stay in the password expired state before it is automatically disabled (“disabled after”): four weeks

4 Oversight

4.1 The Information Security Board, chaired by the Director of Information, will monitor the effectiveness of this method statement and carry out regular reviews.

Document history and status

27 November 2013 Approved by Information Policy Executive
02 December 2013 Approved by Information Security Board
12 August 2014  Ian Hall Updates to 3.1, 3.2 and 3.3 approved by Information Security Board

Status

Review cycle: Three yearly

Date of next review: December 2016