View Current

Password Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Overview

(1) The purpose of this Policy is to establish a standard for the creation of strong passwords and the protection of those passwords at the University of New England (UNE).

(2) Passwords and multi-factor authentication are a crucial aspect of cyber security and are the front line of protection for user and privileged account. A poorly chosen password may result not only in compromise of an individual's account, but also in the compromise of UNE's entire network. A compromised password may be the first step to a further security breach or the hi-jacking of an account for other purposes.

(3) All UNE Representatives and students are responsible for taking appropriate action to select and secure their passwords.

Top of Page

Section 2 - Scope

(4) This Policy applies to all UNE Representatives and UNE students who have or are responsible for an account or any form of access that supports or requires a password on any system that:

  1. is hosted by or on behalf of UNE;
  2. has access to the UNE Network and online services; or
  3. stores any non-public UNE information.
Top of Page

Section 3 - Policy

General

(5) All user level passwords must be changed at least annually.

(6) A user must change their password if instructed to do so by a member of the TDS secops team.

(7) Passwords used at UNE must be unique to UNE and not the same as passwords used for other applications such as Facebook, Gmail, Twitter etc.

(8) All administrative privileged ('super user') accounts must not be remotely accessible. System administrators must log in to a host using their standard non-privileged account and then log in to the privileged account locally from their non-privileged account. Where privileged accounts are remotely accessible, they must be protected with multi-factor authentication unless authorised in writing by the Chief Information Officer.

(9) In the event that a UNE Representative with password access to a privileged account, no longer requires that access (e.g. should they leave UNE or change position within UNE where access to the account is no longer appropriate) the password to the account must be changed. Only those who require immediate access to a privileged account will be aware of its password.

(10) Multi-factor authentication should be used in combination with passwords on systems that support multi-factor authentication unless authorised in writing by the Chief Information Officer.

Disclosure and protection

(11) Passwords must not be shared or disclosed under any circumstances (including inserting into email messages or other forms of electronic communication).

(12) Passwords must be protected at all times and you must not:

  1. write down your password and keep it in an unsecured place; or
  2. allow your web browser to store your password information.

Password strength

(13) All UNE passwords must be at least 10 characters in length.

(14) All passwords for privileged accounts must be between 12 and 18 characters in length.

(15) Passwords must not be easy to guess and must be safe from dictionary attacks.

(16) All applications, including applications running on cloud services and mobile devices that request password authentication, must use secure encrypted communication channels for password transactions.

(17) All applications must use strong encryption and/or hashes for password storage unless explicitly authorised in writing by the Chief Information Officer. The storage and use of plain-text passwords is prohibited.

(18) Applications requiring login must use UNE's centralised authentication and authorisation infrastructure unless authorised in writing by the Chief Information Officer.

(19) Applications must avoid implementation of 'ad hoc' authentication and authorisation processes. Where this cannot be avoided, the processes adopted must be approved by the Chief Information Officer.

Top of Page

Section 4 - Authority and Compliance

Authority

(20) The Vice-Chancellor and Chief Executive Officer, pursuant to Section 29 of the University of New England Act 1993 makes this University Policy.

(21) The Policy Steward, the Chief Information Officer, is authorised to make procedures, that are consistent with this Policy, for the operation of this Policy. Matters of non-compliance may be a breach of the Code of Conduct and may be addressed under the disciplinary provisions of the relevant Enterprise Agreement.

Compliance

(22) UNE Representatives and students must observe this Policy in relation to passwords.

(23) This Policy operates as and from the Effective Date. Previous Policy relating to passwords are replaced and have no further operation from the Effective Date.

(24) Notwithstanding the other provisions of this Policy, the Vice-Chancellor and Chief Executive Officer may approve an exception to this Policy where the Vice-Chancellor and Chief Executive Officer determines the application of this Policy would otherwise lead to an unfair, unreasonable or absurd outcome.  Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must be documented in writing and must state the reason for the exception.

Top of Page

Section 5 - Quality Assurance

(25) This Policy is supported by the University Executive through the oversight of the Security Council.

Security Awareness is quality assured through embedded testing in the training courses 
Automated reporting to People and Culture  
The management of Information Security is both self-assessed and independently measured  
Security Council with maturity and performance reported  
Password leakage/disclosure will be verified by external monitoring services Automated reporting to Security Operations
Top of Page

Section 6 - Definitions (specific to this Policy)

(26) Applications means is a software program that runs in the cloud, on a server, your computer or mobile device. For example; Finance One, Callista, Web Kiosk, web browsers and e-mail, are all applications. The word "application" is used because each program has a specific application for the user.