CMC Group Password Policy
Contents
Appendix A : Understanding Password Complexity.
Password Policy
1.0 Overview
Most computer systems and applications at CMC Group use a login ID and password as the method of authenticating users. A poorly chosen password may result in the compromise of CMC Group’s entire corporate network. As such, all CMC Group employees (as well as contractors and vendors with access to CMC Group systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.
3.0 Scope
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any CMC Group facility, has access to the CMC Group network, or stores any non-public CMC Group information.
4.0 Policy
4.1 General
· All user-level passwords must be changed at least once per year. The recommended change interval is every four months.
· User-level passwords must contain characters from three of the following five categories:
o Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
o Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
o Base 10 digits (0 through 9)
o Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
· All service-level passwords must be changed on at least a quarterly basis.
· User passwords must not be reused.
· User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
· Passwords must not be inserted into email messages or other forms of electronic communication.
· Where SNMP is used; the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively.
· All user-level and system-level passwords must conform to the guidelines described below.
4.2 Guidelines
A. General Password Construction Guidelines
Passwords must:
· Contain both upper and lower case characters (e.g., a-z, A-Z)
· Have digits and punctuation characters as well as letters
· Be at least eight alphanumeric characters long.
· Not be a word in any language, slang, dialect, jargon, etc.
· Not be personal information, names of family, etc.
Note: See Appendix A at the end of this document for strong and weak password examples.
Passwords are used for various purposes at CMC Group. Some of the more common uses include: user level accounts, system level accounts, web accounts, email accounts, service accounts, voicemail password, and router logins. Everyone should be aware of how to select strong passwords.
B. Password Protection Standards
Do not use the same password for CMC Group accounts as for other non-CMC Group access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don’t use the same password for various CMC Group access needs. For example, select one password for the CRM systems and a separate password for Windows.
Do not share CMC Group passwords with anyone, including administrative assistants or IT Staff. All passwords are to be treated as sensitive, Confidential CMC Group information.
Do NOT do any of the following:
· Do not reveal a password over the phone to ANYONE
· Do not reveal a password in an email message
· Do not reveal a password to the boss
· Do not talk about a password in front of others
· Do not hint at the format of a password (e.g., "my family name")
· Do not reveal a password on questionnaires or security forms
· Do not share a password with family members
· Do not reveal a password to co-workers while on vacation
· Do not write passwords down and store them anywhere in your office
· Do not store passwords in a file on ANY computer system
If someone demands a password, refer them to this document or have them call someone in the IT Department.
Do not use the "Remember Password" feature of applications (e.g., Chrome, Internet Explorer)
If an account or password is suspected to have been compromised, report the incident to the Support Center immediately.
Password cracking or guessing may be performed on a periodic or random basis by the IT department. If a password is guessed or cracked during one of these scans, the user may be required to change it.
C. Application Development Standards
Application developers must ensure their programs contain the following security precautions:
· should support authentication of individual users, not groups.
· should not store passwords in clear text or in any easily reversible form.
· should provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
· should support TACACS+, RADIUS and/or X.509 with LDAP security retrieval, wherever possible.
5.0 Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
6.0 Definitions
|
Terms |
Definitions |
|
Application Administration Account |
Any account that is for the administration of an application (e.g., SQL database administrator, ISSU administrator).
|
|
SNMP |
Protocol used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. |
|
System-level passwords |
e.g., root, enable, domain admin, application administration accounts, etc. |
|
User-level passwords |
e.g., email, web, desktop computer, etc. |
|
TACACS+ |
Authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. |
|
RADIUS |
A networking protocol that uses access servers to provide centralized management of access to large networks. |
|
X.509 |
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. |
|
LDAP |
An application protocol for querying and modifying directory services running over TCP/IP.[ |
Appendix A : Understanding Password Complexity
Strong passwords have the following characteristics:
· Contain both upper and lower case characters (e.g., a-z, A-Z)
· Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&o ()_+|~-
· =\‘{}[]:";’<>?,./)
· Are at least eight alphanumeric characters long.
· Are not a word in any language, slang, dialect, jargon, etc.
· Are not based on personal information, names of family, etc.
· Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
NOTE: Do not use either of these examples as passwords!
Poor, weak passwords have the following characteristics:
· The password contains less than eight characters
· The password is a word found in a dictionary (English or foreign)
· The password is a common usage word such as:
o Names of family, pets, friends, co-workers, fantasy characters, etc.
o Computer terms and names, commands, sites, companies, hardware, software.
o The words "cmcgroup", "bowlinggreen", "foodsafety" or any derivation.
o Birthdays and other personal information such as addresses and phone numbers.
o Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
o Any of the above spelled backwards.
o Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Passphrases
Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the user. Without the passphrase to "unlock" the private key, the user cannot gain access.
Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks." A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase:
"The?#>@TrafficOnThe101Was&#!#ThisMorning"
Note: All of the rules above that apply to passwords apply to passphrases.
Password Policy Quick Reference Card
Passwords must:
•
Contain both upper and lower case characters (e.g., a-z, A-Z)
•Have digits and
punctuation characters as well as letters
•Be at least eight alphanumeric characters long.
•Not be a word in any
language, slang, dialect, jargon, etc.
•Not
be personal information, names of family, etc.
Do NOT do any of the following:
•Do not reveal a password over
the phone to ANYONE
•Do not reveal a password in an
email message
•Do not reveal a password to the
boss
•Do not talk about a password in
front of others
•Do not hint at the format of a
password (e.g., "my family name")
•Do not reveal a password on
questionnaires or security forms
•Do not share a password with
family members
•Do not reveal a password to
co-workers while on vacation
•Do not write passwords down and
store them anywhere in your office
•Do not store passwords in a
file on ANY computer system