(1) The purpose of this Policy is to establish a standard for creation of strong passwords and the protection of those passwords. (2) Passwords are a crucial aspect of computer security and are the front line of protection for user accounts. A poorly chosen password may result not only in compromise of an individual's account, but also in the compromise of UNE's entire network. A compromised password may be the first step to a further security breach or the hi-jacking of your account for other purposes. (3) As such, all (4) The scope of this policy includes all (5) All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. (6) Passwords used at UNE must be unique to UNE and not the same as passwords used for other applications such as Facebook, Gmail, Twitter etc. (7) All administrative privileged ('super user') accounts must not be remotely accessible. System administrators must log in to a host using their standard non-privileged account and then log in to the privileged account locally from their non-privileged account. (8) All privileged accounts must have their password changed every 90 days. (9) In the event that a (10) Passwords must not be shared or disclosed under any circumstances (including inserting into email messages or other forms of electronic communication). (11) Passwords must be protected at all times and you must not: (12) All UNE passwords must be between 8 and 18 characters in length. (13) All passwords for privileged accounts must be between 12 and 18 characters in length. (14) Passwords must be difficult to guess and safe from dictionary attacks. (15) All passwords must contain upper and lower case characters, at least one (1) digit and at least one (1) punctuation character (e.g. !"#$%&'()*+,-.:;<=>?@[]^_{|}~). (16) All applications, including applications running on mobile devices that request password authentication, must use secure encrypted communication channels for password transactions. (17) All applications must use strong encryption and/or hashes for password storage unless explicitly authorised in writing by the Chief Information Officer. The storage and use of plain-text passwords is prohibited. (18) Whenever possible, applications must use UNE's centralised authentication and authorisation infrastructure. (19) Applications must avoid implementation of 'ad hoc' authentication and authorisation processes. Where this cannot be avoided, the processes adopted must be approved by the Chief Information Officer. (20) All (21) The Chief Information Officer is authorised to administer this Policy. (22) This is a Vice-Chancellor and Chief Executive Officer Policy and authorisations set out in this policy are authorisations of the Vice-Chancellor and Chief Executive Officer. The Vice-Chancellor and Chief Executive Officer retains discretion over decisions made under this Policy. (23) Applications means is a software program that runs on your computer or mobile device. For example; Finance One, Callista, Web Kiosk, web browsers and e-mail, are all applications. The word "application" is used because each program has a specific application for the user. (24) Dictionary Attacks means a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. Dictionaries include multi language and types, for example a dictionary of science fiction, biography, economics, philosophy, music etc. (25) HTTPS means "HyperText Transport Protocol Secure." HTTPS is the same thing as HTTP, but uses a secure socket layer (SSL) for security purposes. Some examples of sites that use HTTPS include banking and investment websites, e-commerce websites, and most websites that require you to log in. (26) PGP means "Pretty Good Privacy". PGP is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. (27) Privileged Account means a login ID on a system or application which has more privileges than a normal user. Privileged accounts are normally used by system administrators to manage the system, or to run services on that system, or by one application to connect to another . (28) Secure and Encrypted Communications means the transmission of data over communication channels which protect against the interception or modification of the data by a 3rd party. For web based communications, this generally refers to using HTTPS, a secure form of the HTTP protocol, which encrypts the data being sent between the user's web browser and remote web server. For email communications, common solutions include using PGP encryption or it can be as simple as sending sensitive data in an attachment which has been encrypted or password protected. For more details on secure communications and recommended software packages, contact the Technology and Digital Services.General Password Policy
Section 1 - Overview
Section 2 - Scope
Top of PageSection 3 - Policy
General
Disclosure and Protection
Password Strength
Applications
Policy Compliance
Section 4 - Definitions
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.