Passwords, Pass-phrases, and Other Authentication Methods Standard

Title

University of North Carolina at Chapel Hill Standard on Passwords, Pass-phrases, and Other Authentication Methods

Introduction

Purpose

Many data security incidents result from unauthorized access to information stored on computers. The University of North Carolina at Chapel Hill ("University" or "UNC-Chapel Hill") controls access to such information by using:

• passwords,
• passphrases consisting of multiple words (recommended), and
• other methods to prove you are you.

You may expose Sensitive Information if you don't take steps to protect that information. You may also affect necessary University services. Following this standard is essential to protect University information and systems.

All methods you use to access systems that connect to the University network need to meet the requirements described below. Accounts for individual people, administrators, and system accounts are all included. You also need to meet the requirements below for any systems that work with University data. The University needs to be able to trace the use to a person.

If you suspect your password or passphrase has been compromised, you must report it at once. You need to be sure that reporting is compliant with University policies.

NOTE: You must meet the requirements even if a system does not make you meet them. For example, you must select passphrases that meet or exceed these standards, even when a system would allow a weaker one. We encourage you to use strong passphrases and methods beyond these requirements. The Information Security Office (ISO) supplies training, security awareness events and activities, and other information to help you.

This standard sets the requirements you must at least meet. Your group, unit, or department may have more standards, or specific system security requirements. You may always choose to exceed these requirements.

Scope

Every person connected with the University including contractors and vendors.

If you fulfill the duties of a system or application administrator or have other privileged technology roles, you have more responsibilities under this Standard.

Standard

You need to use a password, passphrase, or other approved authentication method for all University accounts. This includes individual, administrator, and service accounts. You need to meet the requirements in this standard when you use a passphrase to any devices that connect to a University network. You also need to meet the requirements for any devices that have University Sensitive Information. The University also needs to be able to trace access to individuals on its systems. If you suspect someone knows your passphrase, you need to report it. Follow the University Information Technology Incident Management Standard to report a compromise.

This Standard doesn’t take the place of password policy in your unit or department that has stricter requirements. Departments may use more strict requirements. But they may not allow authentication methods less strict than those described in the Standard.

Requirements people must follow

User, Administrator, and System Account Minimum Pass-phrase Requirements:

•  Systems and applications may use extra mechanisms to protect accounts. An example is forbidding either re-use of a passphrase or passphrases that are too simple.
•  If the system you are on does not allow at least 17 characters, use the longest possible pass phrase you can. For these shorter passwords include upper/lower-case, numbers, and special characters to make the password more complex.
• You must change your passphrase at least once per year.
•  You must change your passphrase whenever you believe it was exposed or compromised. This can occur if you enter it into a fraudulent website, share it with another individual, or if a device you use has a virus or malware infection. The new pass phrase must differ greatly from the exposed pass phrase.
•  We recommend that you use strong authentication methods including: 2-step or multi-factor authentication, wherever available. (Administrator accounts must use 2-step or multi-factor authentication or as otherwise directed in the Security Controls Standard).
• Do not use the same passphrase on both University systems and non-University systems. For example, don’t use the same passphrase for your Onyen and your Google account. We recommend a unique passphrase for each system.
• If a system gives you a default password, you must change it.
• Treat all passphrases as Tier 3 restricted Sensitive Information. Do not share your pass phrases with others except in emergency situations. (Review "System Accounts" and "Exceptions" below for unusual cases). You may only use account credentials if you have authorization. Each person takes responsibility for maintaining the security of their passphrases.

Passwordless

• Passphrases are not required to access a device where a single-device authentication mechanism such as a hardware+PIN, hardware+biometric (fingerprint/palm scan, facial recognition, etc.) is in use. Such devices have a hardware module that makes compromise less likely. They require physical access to the device, which is safer, so these mechanisms may substitute for use of a passphrase. Devices manufactured by Apple, Google, Yubico, Lenovo, Dell, and those using Microsoft Windows Hello for Business exceed the minimum requirements of this Standard.
• Departments wishing to allow the use of proximity cards/tokens to access devices may do so if they have documented best-practice requirements for their users (token cannot be left near computer, regular reporting, reporting of lost/stolen tokens, etc.).

If you can, use methods that exceed the minimum requirements. This includes stronger passphrases, passwordless with PIN or biometric, and public key cryptography.

Onyen accounts

You can trust that the Onyen will only let you use passphrases that are acceptable. The Onyen system will also prompt you when it's time to change your passphrase.

Requirements for configuring systems

System and Application Authentication Configuration Requirements (only for System and Application Administrators):

If you manage or contract for a system, service, or application that must authenticate, you must ensure that it meets or does more than one of the following configuration options:

Option 1, Onyen (Note, the Onyen must be used if feasible):

• System or application uses the Onyen for all user access using University-provided methods (The system would not handle Onyen passwords directly in any way).
• Uses Shibboleth, CAS (Central Authentication Service), or Microsoft Azure.
• Requires 2-step or multi-factor authentication to protect Sensitive Information.

OR
Option 2:

• Require a minimum of 17 characters of any type, and allow very long passphrases.
• Requires new passphrases to be substantially different from earlier passphrases.
•  Use 2-step or multi-factor authentication for any accounts allowed access to Tier 2 or Tier 3 data other than self-service for the account owner. Consult your Information Security Liaison if you cannot use this method.
• Prohibits repetition of characters/words/sequences.
• Forbids the use of passphrases exposed in breaches on that system.
• Requires pass-phrase changes at least every year.

OR

Option 3, Legacy systems (Only to be used for systems which cannot be configured for Option 1 or 2): 

• Require a minimum of eight (8) characters.
• Consultation with the unit’s Information Security Liaison and documentation of need are required.
• Have at least one upper-case letter, at least one lower-case letter, one special character, and at least one numerical digit.
• Require pass-phrase changes at least every 91 days (about three (3) months).
• Require new passphrases to be substantially different from earlier passphrases if technically workable.
• Use 2-step or multi-factor authentication for any accounts allowed access to Tier 2 or Tier 3 data other than self-service for the account owner. (Consult your Information Security Liaison if you cannot meet this requirement.

University units may need more strict or extra methods, such as public key cryptography (revoked when key has been compromised) but may not allow less strict methods than listed here unless an exception applies.

Exceptions

Specialty Devices

Due to the wide variety of specialty devices and their limitations, particularly for pass-phrase management, specialty devices such as fax machines, printers, physical access control equipment, copy machines, specialty lab equipment, phones, etc., are not subject to this standard unless those devices are used to store or protect Sensitive Information or perform mission-critical functions. Where proper, departments should develop their own specific controls for the specialized devices they use.

Service Accounts

Service accounts (also known as System or Device accounts) are often used by a group of administrators, rather than one person. These accounts are used to run IT services for applications (like Web services, database services, an application account created to run a specific application) or as built-in accounts in an operating system or application (like "root" or "system" or "admin"). Service accounts must only be used for system services. Use of a standard user account to run system services is not allowed, and Service Account exceptions do not apply to standard user accounts. Individuals must not log in using service account credentials except when they need to support the specific service/system. Systems should prevent remote logins to service accounts wherever its technically workable. Default passwords must be changed and are not allowed. Requirements above not listed as exceptions apply to service accounts (17 character minimum, for example).
 
In order to ensure that important systems work reliably, service accounts have exceptions to the usual rules. Requirements of this Standard that are technically infeasible for service accounts may follow these exceptions:

Service accounts may be used by more than one individual (an exception to the pass-phrase-sharing prohibition). Passphrases must be changed when an individual with access to the passphrase leaves the department and the individual may still be able to login.

• No lock-out period is required.
• Log-in renewal is not required.
• Multi-factor authentication is not required.
• Use of Public key cryptography (revoked when key has been compromised) is encouraged.
• Credentials must be stored separately from code.
• Service accounts following these exceptions are strongly recommended for log review to monitor their use. That is a strong compensating control.

Single-device authentication

Pass-phrases are not required to access a device where a single-device authentication mechanism such as a hardware+PIN, fingerprint-scan, or facial recognition is in use. Such devices have a hardware module that deters brute-force attacks and require physical access to the device, as such, other length and complexity requirements are not required and these mechanisms may substitute for use of a pass-phrase. Devices manufactured by Apple as well as those Lenovo, Dell, and Microsoft devices that support Microsoft Windows Hello for Business exceed the minimum requirements of this Standard and are an acceptable alternative. For use of hardware+PIN, hardware components must inhibit brute force attacks and PINs must be at least six (6) characters in length. Computers utilizing TPM 1.2 and above or Yubico keys exceed the minimum and are an acceptable alternative. Departments wishing to allow the use of proximity cards/tokens may do so if documented best-practices are in place (e.g. token cannot be left near computer, report lost/stolen tokens, etc.).

Other Exceptions

If you have a system that cannot meet the requirements of this Standard, or you would like to seek an exception for another method we haven’t listed here, please send a request via help.unc.edu for acceptable alternatives. The Information Security Office may also give Exceptions to this Standard by publishing or documenting an alternative set of controls as equivalent and acceptable.

Definitions

• Administrator: User account with higher privileges than a standard user of an application or operating system. This includes administrators of servers, multi-user applications, privileged access to applications, or sudo access. A user who can set privilege levels for other users is an administrator. NOTE: This does not include common use of "local-admin" privileges on individual devices.
• Authorization: Access privileges granted to a user, program, or process or the act of granting those privileges.
• Authentication: Verifying the identity of a user, process, or device, usually before allowing access to resources in an information system. Stronger authentication systems often use a combination of biometrics, memorized secrets, analytics, and hardware.
• Facial recognition: The use of camera(s) to uniquely identify an individual.
• Fingerprint: The use of a fingerprint reader to uniquely identify an individual.
• Password/Pass-Phrase: A protected character string used to verify the identity of a computer system user or to allow access to system resources.
• PIN: Usually a numeric code used to authenticate to a hardware component.
• Public key cryptography: Cryptography using the NIST-approved algorithms (See references) when the private key is safeguarded (password or PIN protected, physically safeguarded, etc.).
• Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.
• Unauthorized Access:  Occurs when a user, legitimate or unauthorized, accesses resources that they are not allowed to use.

Related Requirements

External Regulations and Consequences

• NIST (National Institute of Standards and Technology) Special Publication (SP) 800-131A Rev. 2: Transitioning the Use of Cryptographic Algorithms and Key Lengths
• More information used in this Standard may be found at: NIST SP 800-63-3: Digital Identity Guidelines
• Failure to follow this Standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who do not adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors and vendors who do not adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.
• Violation of this Standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

• Information Security Policy
• Information Classification Standard
• Information Security Controls Standard
• Information Security Incident Management Standard
• UNC-Chapel Hill Onyen Password page
• UNC recommendations on creating a strong password

Contact Information

Primary Contact

ITS Information Security Office

• Phone: 919-962-HELP/4357
• Web: help.unc.edu

Other Contacts

ITS Policy Office

• Phone: 919-962-HELP/4357
• Email: its_policy@unc.edu
• Web: help.unc.edu

To report a compromised password/pass-phrase/account, please call 919-962-HELP/4357

Important Dates

Revisions prior to addition to University repository

• Effective Date and title of Approver: (Previous documents, UNC-Chapel Hill Password Standard for General Users and Password Standard for System and Application Administrators)
  1. Effective Date: 3/16/2015 (both)
  2. Approver: Chief Information Security Officer
• Revision and Review Dates, Change notes, title of Reviewer or Approver:
  1. Revised Date: 10/25/2017
  2. Revised by: Chief Information Security Officer
  3. Substantive Revisions: Revised password complexity requirements. Combined User and Administrator Standards into single document. Removing section on RACF. Removed timeout control to Information Security Controls Standard
     
     Provided options for password duration involving 2-factor Verification. Clarifications throughout.