Guide 5010 GD.01
Protecting Account Access
|Responsible Office||Information Technology Services||Effective Date||8/01/2011|
|Responsible Official||Chief Information Officer||Revised||3/31/2020|
The objective in protecting account access is to make it as difficult as possible for someone (or some computer program) to guess what you’ve chosen for your access credentials, yet easy enough for you to access your account without writing down your credentials.
Company User ID
Approved Users have been assigned a unique network identification (User ID) as, essentially, an electronic shorthand for your name. Your User ID and password act as your passport to the company’s network and accounts. Like your name, your User ID is not secret, but your User ID password is SECRET, It is very important that your User ID password be protected. Your User ID and Password provide access to sensitive information (personal and company) and are used as authentication credentials for network access. The first User ID task you perform is also one of the most important — choosing a good password.
Requirements for your User ID password:
- Password must have more than 8 characters
- Must contain 2 letters
- Must contain 2 non-letters (either numbers or legal characters)
- Illegal characters must not contain these \ & : < > , ‘ (back slash, ampersand, colon, less than, greater than, comma and apostrophe)
Best Practice for all passwords
- Use a password that is easy to remember, so you do not have to write it down.
- Use a password with mixed-case alphabetic characters.
- Use a password that has at least eight characters.
- Use at least one punctuation symbol.
- Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.
- Use your User ID and associated password only with company User ID authenticated systems.
- Choose different IDs and, especially, different passwords with any other systems (i.e. personal use).
What NOT to Use
- Do not use your login name in any form (as-is, reversed, capitalized, doubled, etc.).
- Do not use proper names (especially not your own nor that of your significant other, mother or child). This includes all first and last names as well as geographical locations.
- Do not use your initials or those of anyone close to you.
- Do not use other information easily obtained about you. This includes your phone, social security, your birth date, the brand of your automobile, the name of the street you live on, etc.
- Do not use a word contained in (English or foreign language) dictionaries, spelling lists, or other lists of words.
- Do not attempt to be clever and make your password a derivation (reversed, as-is, shifted by a few characters, a simple substitution code, doubled, etc.) of your account name or your first or last name.
- Do not use a password that is so difficult for you to remember that you will forget it if you do not write it down.
- Do not reuse any passwords that you have used previously.
- Use different passwords on different systems
Guidance on keeping your User ID and other passwords safe
- Do not give out your password to anyone including IT staff or your supervisor. Do not share your account with anyone or let anyone else use your account.
- Do not write down your password on paper nor store it on a computing device. (It can be a help to write down your password for a few days when you have just changed it – keep any such copy in your wallet or purse and discard it as soon as you have memorized your new password).
- Do not use your User ID password as a password for another computer system, such as your ATM card PIN number or as your password to a website on the Internet.
- Do not let anyone see you type in your password. Stop typing if you notice someone watching you. Make sure your password is not being displayed on your screen as you type.
- Be wary of any program or web page that asks you for your User ID password. Secure web pages that ask you for your User ID password will have URLs that begin with “https://”. Your browser (e.g., Edge, Chrome, Firefox) should visually indicate (icon of a closed padlock) that you are on a secure page. If you are being prompted for your User ID password from a particular web page that you do not recognize or if the page appears different from the screen you are familiar with, contact ITS to verify the authenticity of the page.
- Do not enter your passwords when using insecure protocols (e.g. programs that transmit user account and password information unencrypted) over unsafe networks.
- If your User ID password has been compromised, contact the HelpDesk. The first security measure the Help Desk will usually recommend will be to change your password, but ITS Department will also want to determine how the account and password was compromised, the impact of the exposure and whether to investigate further.
Multi-Factor Authentication (MFA)
Software-specific policies require the use of Multi-Factor Authentication (MFA). This requirement adds another layer of protection to limit unauthorized access to our systems. These policies vary by position/role and include (but not limited to) systems such as:
Computer/Email Access (Microsoft Office 365)
Password/Encryption Manager (LastPass)
Password Encryption Managers
Yet another layer of security provided by position/role is the use of encrypted password managers. The software used by the company easily allows for the organized storage and creation of complex/secure passwords.
Limited Access to Systems Outside of Network
Due to the ever-increasing attempts to gain unauthorized access to systems, the company has limited the ability for some systems to be accessible from outside of our internal networks (i.e. via web portals). This potential inconvenience greatly reduces our exposure from outside attempts to gain unauthorized access to said systems.
The official version of this information will only be maintained in an on-line web format. Any and all printed copies of this material are dated as of the print date. Please make certain to review the material on-line prior to placing reliance on a dated printed version.