Passwords, Pass-phrases, and Other Authentication Methods Standard

Title

University of North Carolina at Chapel Hill Standard on Passwords, Pass-phrases, and Other Authentication Methods

Introduction

Purpose

Many information security incidents result from unauthorized access to information stored on computers. Frequently, access to such information is controlled through the use of passwords, pass-phrases, and other authentication methods.

The failure to protect information through the use of strong passwords/pass-phrases and additional authentication methods may result in incidents that expose sensitive information and/or impact mission-critical UNC-Chapel Hill services. Adherence to this Standard is essential to protect University Information and systems

In accordance with the Information Security Policy this document sets forth password/pass-phraserequirements for all UNC-Chapel Hill individual user accounts, administrator accounts, and system accounts. All authentication methods used to access computing systems that connect to the University network or contain University data must meet the specific minimum requirements described below and must be traceable to individual users. Any suspected compromise of a pass-phrase must be reported immediately in compliance with the Policy on Incident Management.

NOTE: These requirements must be met even if a system does not enforce the requirements with technical controls (users must select pass-phrases meeting or exceeding these standards even when a system would allow a weaker pass-phrase). Users are encouraged to use strong pass-phrases and additional authentication methods above and beyond these minimum requirements. The Information Security Office (ISO) provides training, security awareness events and activities, and other information to assist you

This standard sets minimum requirements. Group, unit, or departmental standards, or specific system security requirements may impose more stringent or additional requirements than the minimum set forth here. Best practice guidance may also exceed these minimum requirements.

Scope of Applicability

This Standard applies to all University Constituents.

Constituents who fulfill the duties of system or application administrators or other privileged technology roles have elevated responsibilities under this Standard. 

NOTE: Contractors, vendors and others managing UNC-Chapel Hill systems are considered “Constituents.”

Standard

All UNC-Chapel Hill individual user, administrator, and system accounts are required to use a password/pass-phrase and/or other authentication method(s) in accordance with this Standard. All pass-phrases used to access computing devices that connect to the UNC- Chapel Hill network or holding University Sensitive Information must meet the specific minimum requirements described in this Standard and must be traceable to individual users. Any suspected compromise of a pass-phrase must be reported in accordance with the University Incident Management Procedure.

This Standard does not supersede any unit or departmental pass-phrase policy that imposes more stringent requirements than the minimum requirements set forth here. Departments may employ additional or more stringent requirements but may not permit authentication methods less stringent than those described in the Standard.

User Standard

User, Administrator, and System Account Minimum Pass-phrase Requirements:

  • Systems and applications may use additional mechanisms to protect accounts (such as forbidding either re-use of a pass-phrase or pass-phrases that are too simple). 
  • You must use a pass-phrase of at least 17 characters. If the system you are on does not allow at least 17 characters, use the longest possible pass-phrase the system will allow, and include upper/lower-case, numbers, and special characters to make the pass-phrase more complex.
  • You must change your pass-phrase at least once per year.
  • You must change your pass-phrase whenever you believe it may have been exposed or compromised such as after it has been entered into a fraudulent website, shared with another individual, or a device you use has suffered a virus or malware infection. The new pass-phrase must be substantially different from the exposed pass-phrase.
  • Use 2-step or multi-factor authentication wherever it is available is strongly recommended (for Administrator accounts, it is required if feasible).
  • Do not use the same pass-phrase on both University systems and non-University systems (for example, don’t use the same pass-phrase for your Onyen and your GMail or Twitter account). A unique pass-phrase for each system is strongly recommended. Default passwords must be changed and are not permitted.
  • Treat all pass-phrases as Tier 3 restricted sensitive information. Do not share your pass-phrases with others except in emergency situations (see "System Accounts" and "Exceptions" below for special cases). You may only use account credentials for which you have been authorized. Each individual is responsible for maintaining the security of their pass-phrases.

Onyen accounts: When setting your Onyen pass-phrase, the system will use adaptive methods to help you select one that is acceptable and will reject pass-phrases that are too short, too simple, or are otherwise unacceptable.  A pass-phrase that the Onyen system accepts is sufficient to meet this minimum standard. The Onyen system will prompt you to change your pass-phrase when it is required

You are also encouraged to use authentication methods that exceed the minimum requirements above (stronger pass-phrases, facial recognition, fingerprint-scans, public key cryptography,or additional factors.)

Configuration Standard

System and Application Authentication Configuration Requirements (for System and Application Administrators):

If you are responsible for managing or contracting for a system or application that requires authentication, you must ensure that at a minimum it meets one of the following configuration options:

Option 1, Onyen (Note, the Onyen must be used if it is technically and operationally feasible. Onyen system and authentication requirements are approved by the CISO.):

  • System or application uses the Onyen to provide authentication services. (3rd-party authentication such as Shibboleth, Active Directory Federation Services (ADFS), or Central Authentication Service (CAS) is strongly recommended for Web applications.)
  • Where feasible requires 2-step or multi-factor authentication.

OR
Option 2:

  • Require a minimum of 17 characters of any type, and allow very long pass-phrases
  • Requires new pass-phrases to be substantially different from previous pass-phrases
  • Where technically feasible, requires 2-step or multi-factor authentication for any accounts allowed access to Tier 2 or Tier 3 data other than self-service for the account owner.
  • Prohibits repetition of characters/words/sequences
  • Prohibits the use of pass-phrases which have been exposed in breaches on that system.
  • Requires pass-phrase changes at least every year

OR
Option 3, Legacy systems (Only to be used for systems which cannot be configured for Option 1 or 2):
Require a minimum of 8 characters

  • Contain at least one upper-case letter, at least one lower-case letter and at least one numerical digit
  • Contain at least one of these characters: !@#$%&*+={}?<>"'
  • Not start with a hyphen, end with a backslash (\), or contain a double-quote (") anywhere except as the last character
  • Require pass-phrase changes at least every 91 days
  • Require new pass-phrases to be substantially different from previous pass-phrases if technically feasible
  • If feasible, uses 2-step or multi-factor authentication for any accounts allowed access to Tier 2 or Tier 3 data other than self-service for the account owner.  (Consultation with the unit’s Information Security Liaison is required to document technical infeasibility.)

University units may employ more stringent authentication requirements or additional authentication methods, such as public key cryptography (revoked when key has been compromised), beyond those outlined in this document but may not allow less stringent authentication than listed here unless an exception applies.

Exceptions

Compliance with previous Password Policy/Standard documents superseded by this Standard are sufficient until six months after approval of this Standard, at which point full compliance with this Standard is required.

Specialty Devices

Due to the wide variety of specialty devices and their frequently limited capabilities, particularly with regard to pass-phrase management, specialty devices such as fax machines, printers, physical access control equipment, copy machines, specialty lab equipment, phones, etc., are not subject to this standard unless those devices are used to store or protect sensitive information or perform mission-critical functions. Where appropriate, departments should develop their own specific standard for the specialized devices they use to ensure that adequate authentication controls are present.

Service Accounts 

Service accounts (also known as System or Device accounts) are typically not associated with an individual user.  These accounts are used to run IT services for applications (e.g., Web services, database services, an application account created to run a specific application) or as built-in accounts in an operating system or application (e.g. “root” or “system” or “admin”). Service accounts must only be used for system services.  Use of a standard user account to run system services is prohibited, and exceptions do not apply to standard user accounts.  Individuals must not log in using service account credentials except as needed in the scope of supporting the specific service/system.  Systems should be configured to prevent remote logins to service accounts wherever technically feasible. Default passwords must be changed and are not permitted. Requirements not listed below as exceptions are in force (17 character minimum, for example). With those constraints in place, in order to ensure that key services are not disrupted, and because some requirements of this Standard may be technically infeasible for service accounts, some exceptions apply:

These accounts may be managed by more than one individual (an exception to the pass-phrase-sharing prohibition). Pass-phrases must be changed when an individual with access to the pass-phrase leaves the department and the individual may still have the ability to login.

  • No lock-out period is required.
  • Log-in renewal is not required.
  • Multi-factor authentication is not required
  • Accounts may use public key cryptography (revoked when key has been compromised) rather than pass-phrases
  • Device-specific authorization may substitute for other authentication methods

Use of login/usage review as a compensating control is strongly recommended for service accounts. 

Single-device authentication 

Pass-phrases are not required to access a device where a single-device authentication mechanism such as a hardware+PIN, fingerprint-scan, or facial recognition is in use. Such devices have a hardware module that deters brute-force attacks and require physical access to the device, as such, other length and complexity requirements are not required and these mechanisms may substitute for use of a pass-phrase.  Devices manufactured by Apple as well as those Lenovo, Dell, and Microsoft devices that support Microsoft Windows Hello for Business exceed the minimum requirements of this Standard and are an acceptable alternative. For use of hardware+PIN, hardware components must inhibit brute force attacks and PINs must be at least 6 characters in length. Computers utilizing TPM 1.2 and above or Yubico keys exceed the minimum and are an acceptable alternative.  Departments wishing to allow the use of proximity cards/tokens may do so if documented best-practices are in place (e.g. token cannot be left near computer, report lost/stolen tokens, etc.).

Other Exceptions

If you have a system that cannot meet the requirements of this Standard, or you would like to seek an exception to allow use of an alternative authentication method, please contact the ISO in writing for acceptable alternatives. (Exceptions to this Standard must be made in writing by the ISO by approving an alternative set of pass-phrase/authentication controls as functionally-equivalent/acceptable).

Definitions

Administrator: User account with higher privileges than a standard user of an application or operating system. This includes administrators of servers, multi-user applications, privileged access to applications, or sudo access. A user who can set privilege levels for other users is an administrator. NOTE: This does not include common use of "local-admin" privileges on individual devices.

Authorization: Access privileges granted to a user, program, or process or the act of granting those privileges.

Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Facial recognition: The use of camera(s) to uniquely identify an individual.

Fingerprint: The use of a fingerprint reader to uniquely identify an individual.

Password/Pass-Phrase: A protected character string used to authenticate the identity of a computer system user or to authorize access to system resources.

PIN: A typically numeric code used to authenticate to a hardware component.

Public key cryptography: Cryptography using the NIST-approved algorithms when the private key is safeguarded (e.g. password protected, physically safeguarded, etc.)

Sensitive Information: Information classified as Tier 2 or Tier 3 in the UNC-Chapel Hill Information Classification Standard.

Unauthorized Access: Occurs when a user, legitimate or unauthorized, accesses resources that the user is not permitted to use.

University Constituent: UNC-Chapel Hill faculty, staff, students, retirees and other affiliates, contractors, distance learners, visiting scholars and others who use or access UNC-Chapel Hill resources.

Related Requirements

External Regulations and Consequences

NIST Special Publication 800-131A on Public-Key Cryptography

Failure to adhere to this Standard may put University information assets at risk and may have disciplinary consequences for employees, up to and including termination of employment. Students who fail to adhere to this policy may be referred to the UNC-Chapel Hill Office of Student Conduct. Contractors and vendors who fail to adhere to this policy may face termination of their business relationships with UNC-Chapel Hill.

Violation of this Standard may also carry the risk of civil or criminal penalties.

University Policies, Standards, and Procedures

Information Security Policy

Information Security Controls Standard

UNC-Chapel Hill Onyen Password page

UNC recommendations on creating a strong password

Information Classification Standard

Contact Information

Primary Contact

ITS Information Security Office
https://help.unc.edu/
Phone: 919-962-HELP

Other Contacts

ITS Policy Office its_policy@unc.edu

To report a compromised password/pass-phrase/account, please call 919-962-HELP

Important Dates

Revisions prior to addition to University repository

  • Effective Date and title of Approver: (Previous documents, UNC-Chapel Hill Password Standard for General Users and Password Standard for System and Application Administrators)
    1. Effective Date: 3/16/2015 (both)
    2. Approver: Chief Information Security Officer
  • Revision and Review Dates, Change notes, title of Reviewer or Approver:
    1. Revised Date: 10/25/2017
    2. Revised by: Chief Information Security Officer
    3. Substantive Revisions: Revised password complexity requirements. Combined User and Administrator Standards into single document. Removing section on RACF. Removed timeout control to Information Security Controls Standard

      Provided options for password duration involving 2-factor Verification. Clarifications throughout.

Details

Article ID: 131256
Created
Thu 4/8/21 9:04 PM
Modified
Wed 4/21/21 11:08 AM
Effective Date
If the date on which this document became/becomes enforceable differs from the Origination or Last Revision, this attribute reflects the date on which it is/was enforcable.
05/05/2020 4:41 PM
Issuing Officer
Name of the document Issuing Officer. This is the individual whose organizational authority covers the policy scope and who is primarily responsible for the policy.
Issuing Officer Title
Title of the person who is primarily responsible for issuing this policy.
AVC for Institutional Privacy and CISO
Last Review
Date on which the most recent document review was completed.
05/05/2020 4:41 PM
Last Revised
Date on which the most recent changes to this document were approved.
03/11/2019 12:00 AM
Origination
Date on which the original version of this document was first made official.
03/16/2015 12:00 AM
Responsible Unit
School, Department, or other organizational unit issuing this document.
Information Technology Services