资讯科技密码标准

概述

This standard addresses the authentication requirements for university accounts to ensure the confidentiality, 完整性, and availability of university data and technology resources. Varying requirements reflect the current mitigation with multi factor authentication (MFA) as well as known risks.

政策参考

• APM 30.15 密码和认证策略
• APM 30.10 身份和访问管理策略
• APM 30.11 University Data Classification and 标准

范围

These standards establish password requirements for all university faculty, 工作人员, 学生, 附属机构访问, 存储, and processing UI data or using UI technology resources at any data classification level. 生效日期:2019年4月16日.

标准

1. Length and 过期 标准 for 个人帐户s
   1. 低风险(例如). Student) password requirements for length and expiration:

      身份验证因素	最小字符	过期
      仅与Duo Mobile或硬件因素有关	12个字符	不定
      支持所有MFA类型	12个字符	400天

   2. 中度风险(例如.大多数学院 & 工作人员) password requirements for length and expiration:

      身份验证因素	最小字符	过期
      仅与Duo Mobile或硬件因素有关	12个字符	不定
      支持所有MFA类型	12个字符	400天

   3. 高的风险 password requirements for length and expiration:

      身份验证因素	最小字符	过期
      仅与Duo Mobile或硬件因素有关	12个字符	1095天
      支持所有MFA类型	12个字符	90天

2. Length and 过期 for Shared/Functional/特权帐户s
   1. Shared account password requirements for length and expiration:

      风险	身份验证因素	最小字符	过期
      低	仅与Duo Mobile或硬件因素有关	12个字符	不定
      低	支持所有MFA类型	12个字符	400天
      中度或高度	仅与Duo Mobile或硬件因素有关	12个字符	1095天
      中度或高度	支持所有MFA类型	12个字符	90天

   2. Functional account password requirements for length and expiration:

      风险	身份验证因素	最小字符	过期
      任何	仅与Duo Mobile或硬件因素有关	30个字符	1825天
      任何	MFA阻塞	30个字符	1825天

   3. Privileged account password requirements for length and expiration:

      风险	身份验证因素	最小字符	过期
      高	仅与Duo Mobile或硬件因素有关, or MFA阻塞	12个字符	400天

3. Password aging, history, and dictionary requirements
   1. New passwords may be immediately changed after previous change.
   2. Password history, or limits on reuse of previous passwords:
      系统s must be configured to prevent re-use of at least the last 24 passwords. 哪里的系统不支持这个, the system must be reviewed and approved by the ITS 安全 Office and any identified risks appropriately mitigated.
   3. 词典要求:
      1. Standard dictionary checks on passwords are no longer required for individual UI passwords protected by MFA.
      2. 哪些系统支持这种使用, dictionaries of known bad passwords must be checked to prevent use of susceptible passwords.
4. Multifactor authentication requirements for systems

   系统	Additional 身份验证因素 Required
   高的风险	是的
   适度的风险	是的，密码暴露在互联网上
   低风险	由系统所有者自行决定

5. 当前支持的硬件因素
   1. HOTP tokens provided and assigned by ITS, including those branded by Duo or Feitian
   2. Universal 2nd Factor (U2F) tokens supported by Duo, including Yubikeys
6. 移动设备, including mobile phones and tablets accessing or processing UI data, or providing local authentication to UI data classified as 中度或高度 risk, are required to enforce a PIN and/or biometric authenticator
   1. Mobile device password/PIN standards shall be:
      1. 至少6个数字或字符
      2. No allowed repeating or sequential PINs (i.e.、123456、999999等.)
      3. Automatically lock or erase after multiple bad authentication attempts
   2. ITS requires use of ITS-managed Application Protection, or Mobile Device Management to ensure security of UI data and meet this and other requirements, where data is processed at the 中度或高度 classification level.
   3. Where laptop computers are configured with ITS-approved biometric authentication, they shall also be required to meet ITS mobile device standards for authentication with PIN.
   4. Approved biometrics include, but are not limited to:
      1. 苹果面部识别或指纹
      2. Microsoft Hello Face ID or Fingerprint, including the convenience PIN
      3. Android生物识别技术

其他参考资料

• NIST sp800 - 171 (2016年1月)
• NIST SP800-53r4 (2013年4月)
• 顺式控制 version 7

定义*

*For further clarification, refer to APM or NIST sp800 - 171.

标准的主人

UI Information Technology 服务 (ITS) is responsible for the content and management of these standards.

修订历史

下载adobereader