STANDARD NAME Security Passphrase Standards STANDARD NUMBER 15.01.01 STANDARD SECTION Information Technology EFFECTIVE DATE 8/11/2014

1.0 OVERVIEW AND PURPOSE

The purpose of this document is to provide direction and present best practice for the operation of strong passwords, the management and protection of those passwords, and the frequency of change.

2.0 SCOPE

Where technically feasible, all Lamar University Information Resources that utilize a password/passphrase as a security protocol.

3.0 DEFINITIONS

Password - a string of characters which serves as authentication of a person's identity which may be used to grant or deny access to private or shared data. Passphrase - a password that is not easily guessed. It is normally constructed of a sequence of characters, numbers, and special characters, depending on the capabilities of the operating system. Typically the longer the passphrase the stronger it is. It should never be a name, dictionary word in any language, an acronym, a proper name, a number, or be linked to any personal information such as a birth date, social security number, and so on. The term passphrase will be used for the rest of the document. Service Account, LDAP Bind Account, Application Account – a user account that is created explicitly to provide a security context for applications or services. Typically, service accounts are provisioned local to the system and application accounts are provisioned in the central directory. Bind Accounts are LDAP specific application accounts use for LDAP authentication and query mechanisms. Standard User Accounts - a standard user account lets a person use most of the capabilities of the computer/application/system. Standard accounts can use most programs that are installed on the computer, but cannot install or uninstall software and hardware, delete files that are required for the computer to work, or change settings on the computer that affect other users. Privileged User Accounts - a user account that can make changes that will affect other users. E.g. administrators. Privileged user accounts can change security settings, install software and hardware, and access all files on the computer/system/application. Privileged user accounts can also make changes to other user accounts.

LAMAR UNIVERSITY Page 2 of 3

4.0 STANDARD Passphrases are commonly used in authentication processes to establish the user's identity. Strong passphrases are key in preventing the abuse and misuse of identity associated with the passphrase. The following table establishes standards based on type of account.

Standard User Account Privileged User Account Application, LDAP, or Service Account Passphrase Passphrases must contain: In addition to meeting all In addition to meeting all Complexity 1. minimum length of 10 alphanumeric requirements of the requirements of the characters Standard User account, Standard User account, 2. mix of upper and lower case passphrases must contain: passphrases must contain: characters with at-least one upper 1. minimum length of 12 1. minimum length of 20 case character alphanumeric alphanumeric 3. at least 1 number characters. characters. 4. at least one special character. 2. At least 4 numbers Special characters include but are not limited to: ( ! @ # $ % ^ & * _ + = ? / ` ; : , < > | \ ) . 5. passphrases must be changed at least every 90 days. 6. if the application, system or process requires stored passphrases to be de-cryptable, then the password must be encrypted with AES 128 bit or higher prior to storage. 7. non-reversible stored passphrases must be hashed with MD5 or higher such as SHA1-SHA512. Passphrase Passphrases must not be reused for a Same as Standard User Same as Standard User History period of one year. Account. Account Passphrase 90 days 120 days 1 year Change Frequency Passphrase Applications, systems or processes that Same as Standard User Encryption require stored passphrases to be de- Account cryptable, must encrypt passwords with AES 128 bit or higher prior to storage. Non-reversible stored passphrases must be hashed with MD5 or higher such as SHA1-SHA512. Example Standard LEA accounts issued to faculty, Desktop Administrators, LEA accounts created staff and students. Domain Administrators, within the namespace of Enterprise Administrators, srv_, svc_, bind_ Application Administrators, "root" user. Effective Standard publication date July 1, 2015 July 1, 2015 Date

10.02.02 SECURITY PASSPHRASE STANDARDS LAMAR UNIVERSITY Page 3 of 3

5.0 RELATED DOCUMENTS

LU Security Passphrase Policy

Texas Administrative Code 202

6.0 REVISION AND RESPONSIBILITY

Oversight Responsibility: Information Technology

Review Schedule: Every two years

Last Review Date: August 11, 2014

Next Review Date: August 11, 2016

7.0 APPROVAL

Priscilla Parsons August 11, 2014 Chief Information Officer, Lamar University Date of Approval

8.0 REVISION HISTORY

Revision Number Approved Date Description of Changes 1 8/11/2014 Initial Version

2 1/19/2016 Amended numbering convention by replacing “10.02.02” to “15.01.01.”

3 06/30/2017 Amended Section 5.0 by adding hyperlink to Texas Administrative Code 202

10.02.02 SECURITY PASSPHRASE STANDARDS