Running head: PASSWORD POLICY 1

Password Policy

Melissa Simmons

Rasmussen College

Author Note

This assignment is being submitted on August 14, 2013 for Jason Endris’

N141/CET2660C Section 02 Networking Security course.

PASSWORD POLICY 2

Learning Center Webmail Password Policy

Overview

When it comes to security, one of most important aspects is setting up a password. This helps control access to a computer or resource. A password must also be chosen wisely. It should be a strong one that cannot be easily guessed or cracked. If the password lacks strength, it could potentially result in unauthorized access and/or exploitation of one’s resources. All users must take the steps that are being outlined in this policy to ensure the strength of the passwords as well as keeping the passwords secure.

Purpose

The purpose of this policy is to detail how to create strong passwords and how to keep those passwords from others. It will also outline how to ensure that the passwords are changed on a frequent basis.

Scope

The scope of this policy includes all personnel and student work studies affiliated with accessing the Learning Center’s webmail.

Policy

1. General The password for the Learning Center’s webmail should be kept in a safe place.

Should an employee or work study forget the password, they should go to the Learning Center Coordinator to re-learn the password.

The password should be changed on a regular basis. This helps to ensure that former employees and student tutors cannot access the webmail after they have left. This also helps to ensure that the password cannot be cracked as easily. It is recommended that this occurs every 13 weeks.

All passwords must follow the guidelines set forth in this policy.2. Guidelines

A. Password Construction Guidelines Strong passwords utilize a combination of certain characters. Those characters are as

follows:NumbersUpper case lettersLower case lettersSpecial characters, such as #, @, &, %

Strong passwords also have a minimum number of characters to ensure they cannot be easily guessed or cracked. It is recommended for that this length be a minimum of 18 characters.

PASSWORD POLICY 3

Weaker passwords do not use a combination of characters. They are usually easily remembered words. These types of words may be convenient for a worker, but they are also convenient for attackers.

Weak passwords also consist of less than 15 characters. These types of passwords require less work and time for an attacker to crack.

Two examples of acceptable passwords are: MSPress#1&MUS$304H9055HUZ#RA61Mawl0A

B. Standards for Protecting Passwords The password should not be written down and stored in a location that anyone can see

them. This includes writing them down on a sticky note and attaching it to a laptop or desk. This defeats the purpose of creating the password.

Do not allow Internet Explorer or any other browser to remember the password after logging into webmail.

Do not store the password online without utilizing a form of encryption. If the password is stored in plain text, anyone can read it.

Do not discuss or share the password with anyone. Those that are authorized to have the password will be granted the access they need.

Ensure that no one is behind or beside you when logging into webmail.C. Password Rotation The password should be changed on a regular basis. At the end of each quarter, by

week 13, the password should be changed. When changing a password, a previously used password cannot be reused. Each

password should be unique to help ensure that one with knowledge to a previous password will not be able to guess the new one after dissolution of employment.

Enforcement

If anyone is found to have violated this policy, appropriate measures will be taken. These measures include verbal warning, written warning, and/or termination. It is important that these guidelines are always followed. Random actions will be taken to ensure the password meets these standards. These actions include password cracking and/or random guessing attempts.

PASSWORD POLICY 4

Home User Password Policy

Overview

When it comes to security, one of most important aspects is setting up a password. This helps control access to a computer or resource. A password must also be chosen wisely. It should be a strong one that cannot be easily guessed or cracked. If the password lacks strength, it could potentially result in unauthorized access and/or exploitation of one’s resources. All users must take the steps that are being outlined in this policy to ensure the strength of the passwords as well as keeping the passwords secure.

Purpose

The purpose of this policy is to detail how to create strong passwords and how to keep those passwords from others. It will also outline how to ensure that the passwords are changed on a frequent basis.

Scope

The scope of this policy includes anyone wishing to utilize the network, computer systems, and other resources on their home computers.

Policy

3. General Passwords for any resources being utilized at home should be kept in a safe place

and/or memorized. Should a user forget the password, they should have to find the administrator of the computer to learn the password or have to pass a two-factor authentication process in order to change the password.

Passwords should be changed on a regular basis. This helps to ensure that unauthorized individuals cannot access the home resources should they learn of passwords. This also helps to ensure that the password cannot be cracked as easily. It is recommended that this occurs at least every three months.

All passwords must follow the guidelines set forth in this policy.4. Guidelines

D. Password Construction Guidelines Strong passwords utilize a combination of certain characters. Those characters are as

follows:NumbersUpper case lettersLower case lettersSpecial characters, such as #, @, &, %

Strong passwords also have a minimum number of characters to ensure they cannot be easily guessed or cracked. It is recommended for home users that this length be a minimum of 16 characters.

PASSWORD POLICY 5

Weaker passwords do not use a combination of characters. They are usually easily remembered words. These types of words may be convenient for a worker, but they are also convenient for attackers. Dictionary words should not be used either.

Weak passwords also consist of less than 15 characters. These types of passwords require less work and time for an attacker to crack.

Two examples of acceptable passwords are: HPC#901chrlAPaK$7735amd#547AO0$2

E. Standards for Protecting Passwords The password should not be written down and stored in a location that anyone can see

them. This includes writing them down on a sticky note and attaching it to a laptop, desktop, or desk. This defeats the purpose of creating the password.

Do not allow Internet Explorer or any other browser to remember passwords. Do not store the password online without utilizing a form of encryption. If the

password is stored in plain text, anyone can read it. Do not discuss or share the password with anyone. Ensure that no one is behind or beside you when creating or inputting passwords. Each password that is needed should be unique. The same passwords should not be

used on more than one site or user account.F. Password Rotation Passwords should be changed on a regular basis. Passwords should be changed at

least every three months. It is also recommended that if one cannot remember the password, then they could be

stored online but in an encrypted form. Passwords can be automatically generated. When changing a password, a previously used password cannot be reused. Each

password should be unique to help ensure that one with knowledge to a previous password will not be able to guess the new one after dissolution of employment.

Enforcement

If anyone is found to have violated this policy, they will not be permitted to use these home resources. It is important that these guidelines are always followed.

The password policy example was found at http://www.sans.org/security-resources/policies/Password_Policy.pdf