Password and Network ID Account Policy

Passwords and Network ID's are an essential component of network security for both the individual user as well as for Emory's overall network. This policy addresses minimum standards for passwords and authorization accountability for all Network ID accounts administered by Emory University.

Additional information for users and distributed IT providers regarding AAIT's administration of Network ID's and accounts is also provided.

Minimum Standards for Password Protection and Network ID's:

The following are minimum standards for password protection and Network ID account management. Although they are strongly recommended as a primary means for insuring the security and integrity of information available through Emory's network, they should not be construed as absolutes. Each data item and computing process requires careful analysis in order to determine the correct and proper protection protocol.

Because these standards should be understood as minimum standards, Emory IT developers, management, and local support providers should feel free to implement protocols that exceed these standards whenever increased protection is required or may be otherwise appropriate.

"Passwords and Network ID's are issued to one user only; they must not be shared with any other individual.

"Passwords must be a minimum of 6 to 8 characters in length and should contain both alpha and numeric characters that are not easily guessed or identified by others (e.g., do not use dictionary words, names of children or pets, birthdays, social security or telephone numbers, etc.)

"Passwords should be changed every ninety (90) days (employees & contractors) or every semester (students). In any case, the same password should never be used for more than six (6) months.

Authorization accountability for Network ID's administered by Emory is accomplished through:

"Identification of one individual responsible for each issued Network ID,

"Encouraging the use of the same Network ID across all Emory Enterprise Systems (ES), and

"Creating a default framework for the assignment of Network ID's.

Questions regarding these recommended minimum standards should be addressed to Emory's Information Technology Division Security Team at:
SecurityTeam-L@listserv.emory.edu.

Additional Information for Users and Distributed IT Providers:

Accountability

Each Network ID must have one individual who is responsible for all activity occurring as a result of the use of the Network ID.

Default Network IDs

New Network ID's on Emory Shared Data are created using default criteria. The current default Network ID for an individual, including a student eligible for a Network ID, consists of the initial of the individuals first name followed by up to six characters of the last name. To ensure there are no duplicate Network ID's, the middle initial will be placed in the second position and/or numbers, as necessary, to the right of the name.

Changes to an existing Network ID will not be made without a compelling reason (e.g., incorrect last name used in the Network ID, or Network ID is an offensive word). The new Network ID must include portions of both the user's first and last name.

Default System Accounts

Whenever possible, the default account names for systems and applications (system and operator accounts) should be changed upon installation, implementation, and/or production use of systems and applications.

Each Network ID must have one individual who is responsible for all activity occurring as a result of the use of the Network ID.

Network ID Account Lockouts

A Network ID Account Lockout occurs when a user can no longer login to his/her computer or a specific application through the use of his/her Network ID. All account lockouts should be investigated. Accounts should not be unlocked until sufficient investigation has revealed the nature of the lockout. If an account has been locked multiple times during a relatively short time frame, the account should remain locked until a full investigation has revealed the source of the lockout attempts. In addition, every request for a network account password to be reset or for an account to be unlocked must be met by a challenge/response to verify the individual is authorized to the Network ID and/or account.

Password Aging - Best Practice (Strongly Recommended)

Passwords for Emory employees and contractors should expire every ninety (90)days, requiring the user to enter a new password before logging onto the system.

New passwords for Emory students should be required at the start of each semester.

System and Operator user network accounts should be changed every thirty (30) days.

Passwords should also be changed if:

"User's machine has been compromised,
"User has shared his/her password with any other individual,
"User has been notified that his/her password does not meet current standards,
"User has used the same passwords for 90 days or more

Inactive Network Accounts

After ninety (90) consecutive days of inactivity, network accounts for faculty and staff will be disabled.

For students, inactive network accounts will be disabled after six (6) months of inactivity.

Users should be contacted prior to the disabling of a network account in order to ensure that accounts that have been inactive for justifiable reasons (illness, maternity leave, leave without pay, etc.) can be identified and held indefinitely in a suspended state.

Otherwise, if, during the ten (10) days following notification of intent to disable, the user does not notify ITD of their request to keep the account (with a justified Emory use), or does not respond to the notice, the account will be disabled.

Inactive/Terminated Account Notification

User network account databases should be routinely reviewed for network accounts of assigned users whose access purpose has ended. All such accounts should be deleted. Whenever an employee (or other individual assigned an Emory Network ID) leaves Emory or has a change in position or other employment status, it is the responsibility of Human Resources and/or the department manager (or related position) to notify the ITD Security Team with a request to disable the account.

Notice

All application systems should provide explicit notice to all users at the time of initial login and regularly thereafter that the system is a private system; that it may be used only by authorized parties; and that, by successful login, the user is acknowledging responsibility and accountability for his/her activities on the system.

Password Display

Keyed passwords must never echo or display in any readable form on the screen of the login device.

Password Length

The length of passwords should always be checked for length automatically by the authenticating system at the time the user selects them. Passwords should be comprised of at least six (6) to eight (8) characters and should include both alphabetical and numeric characters.

Password History

A history of previous user passwords should be maintained on all systems. This history file should be employed to prevent users from reusing passwords. The history file should remain encrypted at all times. Minimally, this history file should contain the last three (3) passwords for each user account; associated software should automatically reject any password selection that matches passwords currently held within the history file.

Password Resets

Every request for resetting a user network account password or for unlocking an account should be met by a challenge/response to verify the individual is authorized to the account.

Remote Users

Remote users must authenticate through use of a valid Network ID and password in order to access the Emory network.

Sharing Network ID's

The use of a Network ID by multiple individuals is strictly prohibited.